+description: This article provides information on how to add readiness or liveness health probes to AKS pods by using Application Gateway.

+# Add health probes to your AKS pods

+By default, the Application Gateway Ingress Controller (AGIC) provisions an HTTP `GET` probe for exposed Azure Kubernetes Service (AKS) pods. You can customize the probe properties by adding a [readiness or liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) to your deployment or pod specification.

+## Code for adding a readiness or liveness probe

+For more information, see the [Kubernetes API reference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#httpgetaction-v1-core).

+> - `readinessProbe` and `livenessProbe` are supported when you configure them with `httpGet`.

+> - Probing on a port other than the one exposed on the pod is currently not supported.

+> - `HttpHeaders`, `InitialDelaySeconds`, and `SuccessThreshold` aren't supported.

+If the code doesn't include a readiness or liveness probe, the ingress controller makes an assumption that the service is reachable on either:

+- The `Path` value that's specified for `backend-path-prefix` annotation

+- The `path` value that's specified in the `ingress` definition for the service

+## Default values for the health probe

+Any property that the readiness or liveness probe can't infer uses the following default values.

+| Application Gateway probe property | Default value |

+| `Path` | `/` |

+| `Host` | `localhost` |

+| `Protocol` | `HTTP` |

+| `Timeout` | `30` |

+| `Interval` | `30` |

+| `UnhealthyThreshold` | `3` |

+## Related content

+- [What is Application Gateway for Containers?](for-containers/overview.md)

+description: This article provides instructions on how to scale your AKS back-end pods by using Application Gateway metrics and the Azure Kubernetes Metrics Adapter.

+# Autoscale your AKS pods by using Application Gateway metrics

+This article explains how you can use the `AvgRequestCountPerHealthyHost` metric in Azure Application Gateway to scale up Azure Kubernetes Service (AKS) pods for an application. The `AvgRequestCountPerHealthyHost` metric measures average requests sent to a specific combination of a back-end pool and a back-end HTTP setting.

+Use the following two components:

+- [Azure Kubernetes Metrics Adapter](https://github.com/Azure/azure-k8s-metrics-adapter): You use this component to expose Application Gateway metrics through the metric server. It's an open-source project under Azure, similar to the Application Gateway Ingress Controller.

+- [Horizontal Pod Autoscaler](/azure/aks/concepts-scale#horizontal-pod-autoscaler): You use this component to apply Application Gateway metrics and target a deployment for scaling.

+> The Azure Kubernetes Metrics Adapter is no longer maintained. Kubernetes Event-driven Autoscaling (KEDA) is an alternative.

+## Set up the Azure Kubernetes Metrics Adapter

+1. Create a Microsoft Entra service principal and assign it `Monitoring Reader` access over the Application Gateway instance's resource group:

+1. Deploy the Azure Kubernetes Metrics Adapter by using the Microsoft Entra service principal that you created previously:

+1. Create an `ExternalMetric` resource with the name `appgw-request-count-metric`. This resource instructs the metric adapter to expose the `AvgRequestCountPerHealthyHost` metric for the `myApplicationGateway` resource in the `myResourceGroup` resource group. You can use the `filter` field to target a specific back-end pool and back-end HTTP setting in the Application Gateway instance.

+ resourceGroup: myResourceGroup # replace with your Application Gateway instance's resource group name

+ resourceName: myApplicationGateway # replace with your Application Gateway instance's name

+You can now make a request to the metric server to see if the new metric is being exposed:

+## Use the new metric to scale up the deployment

+After you expose `appgw-request-count-metric` through the metric server, you're ready to use the [Horizontal Pod Autoscaler](/azure/aks/concepts-scale#horizontal-pod-autoscaler) to scale up your target deployment.

+The following example targets a sample deployment named `aspnet`. You scale up pods when `appgw-request-count-metric` is `200` per pod, up to a maximum of `10` pods.

+Replace your target deployment name and apply the following autoscale configuration:

+Test your setup by using a load test tool like ApacheBench:

+- [Troubleshoot Application Gateway Ingress Controller issues](ingress-controller-troubleshoot.md)

+- [What is Application Gateway for Containers?](for-containers/overview.md)

+ Title: Enable cookie-based affinity with Application Gateway

+description: This article provides information on how to enable cookie-based affinity with Application Gateway.

+# Enable cookie-based affinity with Application Gateway

+As outlined in the [Azure Application Gateway documentation](./application-gateway-components.md#http-settings), Application Gateway supports cookie-based affinity. This support means that the service can direct subsequent traffic from a user session to the same server for processing.

+```

+## Related content

+- [What is Application Gateway for Containers?](for-containers/overview.md)

+description: This article provides information on how to disable and re-enable the AGIC add-on for your AKS cluster.

+# Disable and re-enable the AGIC add-on for your AKS cluster

+When you deploy the Application Gateway Ingress Controller (AGIC) as an Azure Kubernetes Service (AKS) add-on, you can enable and disable the add-on with one line in the Azure CLI.

+The life cycle of the Azure Application Gateway instance differs when you disable the AGIC add-on, depending on whether you created the Application Gateway instance by using the AGIC add-on or you deployed it separately from the add-on. You can run the same command to re-enable the AGIC add-on if you ever disable it, or to enable the AGIC add-on by using an existing AKS cluster and Application Gateway instance.

+## Disable the AGIC add-on with an associated Application Gateway instance

+If the AGIC add-on automatically deployed the Application Gateway instance for you when you first set up everything, then disabling the AGIC add-on might delete the Application Gateway instance by default. The AGIC add-on considers two criteria to determine if it should delete the associated Application Gateway instance:

+- Is the Application Gateway instance deployed in the `MC_*` node resource group?

+- Does the Application Gateway instance have the tag `created-by: ingress-appgw`? AGIC uses the tag to determine whether or not the add-on deployed the Application Gateway instance.

+If both criteria are met, the AGIC add-on deletes the Application Gateway instance when you disable the add-on. However, the AGIC add-on doesn't delete the public IP address or the subnet in which it deployed the Application Gateway instance.

+If the first criterion isn't met, disabling the add-on doesn't delete the Application Gateway instance, even if the instance has the `created-by: ingress-appgw` tag. Likewise, if the second criterion isn't met (that is, the Application Gateway instance lacks that tag), disabling the add-on doesn't delete the Application Gateway instance in the `MC_*` node resource group.

+> [!TIP]

+> If you don't want the add-on to delete your Application Gateway instance when you disable the add-on, but the instance meets both criteria, remove the `created-by: ingress-appgw` tag.

+To disable the AGIC add-on, run the following command:

+## Enable the AGIC add-on on an existing Application Gateway instance and AKS cluster

+If you ever disable the AGIC add-on and need to re-enable it, or you want to enable the add-on by using an existing Application Gateway instance and AKS cluster, run the following command:

+## Related content

+- For more information on how to enable the AGIC add-on by using an existing Application Gateway instance and AKS cluster, see [this tutorial](tutorial-ingress-controller-add-on-existing.md).

+- For information about Application Gateway for Containers, see [What is Application Gateway for Containers?](for-containers/overview.md).

+description: This article provides information on how to expose an AKS service over HTTP or HTTPS by using Application Gateway.

+# Expose an AKS service over HTTP or HTTPS by using Application Gateway

+This article illustrates the usage of [Kubernetes ingress resources](https://kubernetes.io/docs/concepts/services-networking/ingress/) to expose an example Azure Kubernetes Service (AKS) service through [Azure Application Gateway](https://azure.microsoft.com/services/application-gateway/) over HTTP or HTTPS.

+- An installed `ingress-azure` Helm chart:

+ - [Greenfield deployment](ingress-controller-install-new.md): If you're starting from scratch, refer to these installation instructions, which outline steps to deploy an AKS cluster with Application Gateway and install the Application Gateway Ingress Controller (AGIC) on the AKS cluster.

+ - [Brownfield deployment](ingress-controller-install-existing.md): If you have an existing AKS cluster and Application Gateway instance, refer to these instructions to install AGIC on the AKS cluster.

+- An x509 certificate and its private key, if you want to use HTTPS on this application.

+## Deploy the guestbook application

+The `guestbook` application is a canonical Kubernetes application that consists of a web UI front end, a back end, and a Redis database.

+By default, `guestbook` exposes its application through a service with the name `frontend` on port `80`. Without a Kubernetes ingress resource, the service isn't accessible from outside the AKS cluster. You use the application, and set up ingress resources to access the application, through HTTP and HTTPS.

+To deploy the `guestbook` application:

+1. Download `guestbook-all-in-one.yaml` from [this GitHub page](https://raw.githubusercontent.com/kubernetes/examples/master/guestbook/all-in-one/guestbook-all-in-one.yaml).

+1. Deploy `guestbook-all-in-one.yaml` into your AKS cluster by running this command:

+ ```bash

+ kubectl apply -f guestbook-all-in-one.yaml

+ ```

+To expose the `guestbook` application, use the following ingress resource:

+This ingress exposes the `frontend` service of the `guestbook-all-in-one` deployment as a default back end of the Application Gateway instance.

+Save the preceding ingress resource as `ing-guestbook.yaml`:

+1. Deploy `ing-guestbook.yaml` by running this command:

+1. Check the log of the ingress controller for the deployment status.

+Now the `guestbook` application should be available. You can check the availability by visiting the public address of the Application Gateway instance.

+### Without a specified host name

+If you don't specify a host name, the `guestbook` service is available on all the host names that point to the Application Gateway instance.

+1. Before you deploy the ingress resource, create a Kubernetes secret to host the certificate and private key:

+1. Define the following ingress resource. In the `secretName` section, replace `<guestbook-secret-name>` with the name of your secret.

+1. Store the ingress resource in a file named `ing-guestbook-tls.yaml`.

+1. Deploy `ing-guestbook-tls.yaml` by running this command:

+1. Check the log of the ingress controller for the deployment status.

+### With a specified host name

+You can also specify the host name on the ingress resource to multiplex TLS configurations and services. When you specify a host name, the `guestbook` service is available only on the specified host.

+1. Define the following ingress resource. In the `secretName` section, replace `<guestbook-secret-name>` with the name of your secret. In the `hosts` and `host` sections, replace `<guestbook.contoso.com>` with your host name.

+1. Deploy `ing-guestbook-tls-sni.yaml` by running this command:

+1. Check the log of the ingress controller for the deployment status.

+Now the `guestbook` application is available on both HTTP and HTTPS, only on the specified host.

+Use the following ingress resource to add paths and redirect those paths to other

+## Related content

+- [What is Application Gateway for Containers?](for-containers/overview.md)

+description: This article provides information on how to expose a WebSocket server to Application Gateway with an ingress controller for AKS clusters.

+Azure Application Gateway v2 [provides native support for the WebSocket and HTTP/2 protocols](features.md#websocket-and-http2-traffic). Both Application Gateway and the Kubernetes ingress don't have a user-configurable setting to selectively enable or disable WebSocket support.

+## YAML for WebSocket server deployment

+The following Kubernetes deployment YAML shows the minimum configuration for deploying a WebSocket server, which is the same as deploying a regular web server:

+Assuming that all the prerequisites are fulfilled, and you have an Application Gateway instance controlled by a Kubernetes ingress in Azure Kubernetes Service (AKS), the preceding deployment would result in a WebSocket server exposed on port 80 of your Application Gateway instance's public IP address and the `ws.contoso.com` domain.

+## WebSocket health probes

+If your deployment doesn't explicitly define health probes, Application Gateway attempts an HTTP `GET` operation on your WebSocket server endpoint.

+Depending on the server implementation (such as [this example](https://github.com/gorilla/websocket/blob/master/examples/chat/main.go)), you might need WebSocket-specific headers (`Sec-Websocket-Version`, for instance).

+Because Application Gateway doesn't add WebSocket headers, the Application Gateway health probe response from your WebSocket server is most likely `400 Bad Request`. Application Gateway then marks your pods as unhealthy. This status eventually results in a `502 Bad Gateway` error for the consumers of the WebSocket server.

+To avoid the `502 Bad Gateway` error, you might need to add an HTTP `GET` handler for a health check to your server. For example, `/health` returns `200 OK`.

+## Related content

+- [What is Application Gateway for Containers?](for-containers/overview.md)

+ Title: Create an ingress controller by using an existing Application Gateway instance

+description: This article provides information on how to deploy the Application Gateway Ingress Controller by using an existing Application Gateway instance.

+# Install AGIC by using an existing Application Gateway instance

+The Application Gateway Ingress Controller (AGIC) is a pod within your Azure Kubernetes Service (AKS) cluster. AGIC monitors the Kubernetes [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) resources. It creates and applies an Azure Application Gateway configuration based on the status of the Kubernetes cluster.

+This article assumes that you already installed the following tools and infrastructure:

+- [An AKS cluster](/azure/aks/intro-kubernetes) with [Azure Container Networking Interface (CNI)](/azure/aks/configure-azure-cni).

+- [Application Gateway v2](./tutorial-autoscale-ps.md) in the same virtual network as the AKS cluster.

+- [Microsoft Entra Workload ID](/azure/aks/workload-identity-overview) configured for your AKS cluster.

+- [Azure Cloud Shell](https://shell.azure.com/) as the Azure shell environment, which has `az` (Azure CLI), `kubectl`, and `helm` installed. These tools are required for commands that support configuring this deployment.

+## Add the Helm repository

+[Helm](/azure/aks/kubernetes-helm) is a package manager for Kubernetes. You use it to install the `application-gateway-kubernetes-ingress` package.

+If you use Cloud Shell, you don't need to install Helm. Cloud Shell comes with Helm version 3. Run the following commands to add the AGIC Helm repository for an AKS cluster that's enabled with Kubernetes role-based access control (RBAC):

+```bash

+kubectl create serviceaccount --namespace kube-system tiller-sa

+kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller-sa

+helm init --tiller-namespace kube-system --service-account tiller-sa

+```

+## Back up the Application Gateway instance

+Before you install AGIC, back up your Application Gateway instance's configuration:

+1. In the [Azure portal](https://portal.azure.com/), go to your Application Gateway instance.

+2. In the **Automation** section, select **Export template** and then select **Download**.

+The downloaded .zip file contains JSON templates, Bash scripts, and PowerShell scripts that you can use to restore Application Gateway, if a restoration becomes necessary.

+## Set up an identity for Resource Manager authentication

+AGIC communicates with the Kubernetes API server and [Azure Resource Manager](../azure-resource-manager/management/overview.md). It requires an identity to access these APIs. You can use either Microsoft Entra Workload ID or a service principal.

+### Set up Microsoft Entra Workload ID

+[Microsoft Entra Workload ID](/azure/aks/workload-identity-overview) is an identity that you assign to a software workload. This identity enables your AKS pod to authenticate with other Azure resources.

+For this configuration, you need authorization for the AGIC pod to make HTTP requests to Azure Resource Manager.

+1. Use the Azure CLI [az account set](/cli/azure/account#az-account-set) command to set a specific subscription to be the current active subscription:

+ Then use the [az identity create](/cli/azure/identity#az-identity-create) command to create a managed identity. You must create the identity in the [node resource group](/azure/aks/concepts-clusters-workloads#node-resource-group). The node resource group is assigned a name by default, such as `MC_myResourceGroup_myAKSCluster_eastus`.

+1. For the role assignment, run the following command to identify the `principalId` value for the newly created identity:

+1. Grant the identity **Contributor** access to your Application Gateway instance. You need the ID of the Application Gateway instance, which looks like `/subscriptions/A/resourceGroups/B/providers/Microsoft.Network/applicationGateways/C`.

+ First, get the list of Application Gateway IDs in your subscription by running the following command:

+ ```powershell-interactive

+ # Get the principal ID for the user-assigned identity

+1. Grant the identity **Reader** access to the Application Gateway resource group. The resource group ID looks like

+`/subscriptions/A/resourceGroups/B`. You can get all resource groups by running `az group list --query '[].id'`.

+ # Get the principal ID for the user-assigned identity

+ # Assign the Reader role to the user-assigned identity at the resource group scope

+> [!NOTE]

+> Make sure the identity that AGIC uses has the **Microsoft.Network/virtualNetworks/subnets/join/action** permission delegated to the subnet where Application Gateway is deployed. If you didn't define a custom role that has this permission, you can use the built-in **Network Contributor** role.

+### Set up a service principal

+It's also possible to provide AGIC access to Azure Resource Manager by using a Kubernetes secret:

+1. Create an Active Directory service principal and encode it with Base64. The Base64 encoding is required for the JSON blob to be saved to Kubernetes.

+2. Add the Base64-encoded JSON blob to the `helm-config.yaml` file. The `helm-config.yaml` file configures AGIC.

+## Deploy the AGIC add-on

+### Create a deployment manifest for the ingress controller

+### Deploy the ingress controller

+## Install the ingress controller as a Helm chart

+Use [Cloud Shell](https://shell.azure.com/) to install the AGIC Helm package:

+1. Perform a Helm update:

+1. Download `helm-config.yaml`:

+1. Edit `helm-config.yaml` and fill in the values for `appgw` and `armAuth`.

+ > `<identity-client-id>` is a property of the Microsoft Entra Workload ID value that you set up in the previous section. You can retrieve this information by running the following command: `az identity show -g <resourcegroup> -n <identity-name>`. In that command, `<resourcegroup>` is the resource group that hosts the infrastructure resources related to the AKS cluster, Application Gateway, and the managed identity.

+1. Install the Helm chart with the `helm-config.yaml` configuration from the previous step:

+ Alternatively, you can combine `helm-config.yaml` and the Helm command in one step:

+1. Check the log of the newly created pod to verify that it started properly.

+To understand how you can expose an AKS service to the internet over HTTP or HTTPS by using an Azure Application Gateway instance, see [this how-to guide](ingress-controller-expose-service-over-http-https.md).

+## Set up a shared Application Gateway instance

+By default, AGIC assumes full ownership of the Application Gateway instance that it's linked to. AGIC version 0.8.0 and later can share a single Application Gateway instance with other Azure components. For example, you could use the same Application Gateway instance for an app

+that's hosted on an [Azure virtual machine scale set](https://azure.microsoft.com/services/virtual-machine-scale-sets/) and an AKS cluster.

+### Example scenario

+Let's look at an imaginary Application Gateway instance that manages traffic for two websites:

+- `dev.contoso.com`: Hosted on a new AKS cluster by using Application Gateway and AGIC.

+- `prod.contoso.com`: Hosted on a virtual machine scale set.

+With default settings, AGIC assumes 100% ownership of the Application Gateway instance that it's pointed to. AGIC overwrites all of the App Gateway configuration. If you manually create a listener for `prod.contoso.com` on Application Gateway without defining it in the Kubernetes ingress, AGIC deletes the `prod.contoso.com` configuration within seconds.

+To install AGIC and also serve `prod.contoso.com` from the machines that use the virtual machine scale set, you must constrain AGIC to configuring

+`dev.contoso.com` only. You facilitate this constraint by instantiating the following [custom resource definition (CRD)](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/):

+The preceding command creates an `AzureIngressProhibitedTarget` object. This object makes AGIC (version 0.8.0 and later) aware of the existence of

+the Application Gateway configuration for `prod.contoso.com`. This object also explicitly instructs AGIC to avoid changing any configuration

+related to that host name.

+### Enable a shared Application Gateway instance by using a new AGIC installation

+In the `appgw:` section, add a `shared` key and set it to `true`:

+ shared: true # Add this field to enable shared Application Gateway

+1. Ensure that the `AzureIngressProhibitedTarget` CRD is installed:

+ ```bash

+ kubectl apply -f https://raw.githubusercontent.com/Azure/application-gateway-kubernetes-ingress/7b55ad194e7582c47589eb9e78615042e00babf3/crds/AzureIngressProhibitedTarget-v1-CRD-v1.yaml

+ ```

+2. Update Helm:

+ ```bash

+ helm upgrade \

+ --recreate-pods \

+ -f helm-config.yaml \

+ agic-controller

+ oci://mcr.microsoft.com/azure-application-gateway/charts/ingress-azure

+ ```

+The `prohibit-all-targets` object prohibits AGIC from changing the configuration for *any* host and path. Helm installed with `appgw.shared=true` deploys AGIC, but it doesn't make any changes to Application Gateway.

+Because Helm with `appgw.shared=true` and the default `prohibit-all-targets` blocks AGIC from applying a configuration, you must broaden AGIC permissions:

+1. Create a new YAML file named `AzureIngressProhibitedTarget` with the following snippet that contains your specific setup:

+2. Now that you've created your own custom prohibition, you can delete the default one, which is too broad:

+### Enable a shared Application Gateway instance for an existing AGIC installation

+Assume that you already have a working AKS cluster and an Application Gateway instance, and you configured AGIC in your cluster. You have an Ingress for `prod.contoso.com` and are successfully serving traffic for it from the cluster.

+You want to add `staging.contoso.com` to your existing Application Gateway instance, but you need to host it on a [virtual machine](https://azure.microsoft.com/services/virtual-machines/). You're going to reuse the existing Application Gateway instance and manually configure a listener and back-end pools for `staging.contoso.com`. But manually tweaking the Application Gateway configuration (by using the [Azure portal](https://portal.azure.com), [Resource Manager APIs](/rest/api/resources/), or [Terraform](https://www.terraform.io/)) would conflict with AGIC's assumptions of full ownership. Shortly after you apply changes, AGIC overwrites or deletes them.

+You can prohibit AGIC from making changes to a subset of the configuration:

+1. Create a new YAML file named `AzureIngressProhibitedTarget` by using the following snippet:

+3. Modify the Application Gateway configuration from the Azure portal. For example, add listeners, routing rules, and back ends. The new object that you created (`manually-configured-staging-environment`) prohibits AGIC from overwriting the Application Gateway configuration related to

+## Related content

+- [What is Application Gateway for Containers?](for-containers/overview.md)

+ Title: Create an ingress controller by using a new Application Gateway instance

+description: This article provides information on how to deploy the Application Gateway Ingress Controller by using a new Application Gateway instance.

+# Install AGIC by using a new Application Gateway instance

+The instructions in this article assume that you want to install the Application Gateway Ingress Controller (AGIC) in an environment that has no preexisting components.

+## Install required command-line tools

+We recommend the use of [Azure Cloud Shell](https://shell.azure.com/) for all the command-line operations in this article. You can open Cloud Shell by selecting the **Launch Cloud Shell** button.

+Alternatively, open Cloud Shell from the Azure portal by selecting its icon.

+

+Your Cloud Shell instance already has all necessary tools. If you choose to use another environment, ensure that the following command-line tools are installed:

+- `az`: Azure CLI ([installation instructions](/cli/azure/install-azure-cli))

+- `kubectl`: Kubernetes command-line tool ([installation instructions](https://kubernetes.io/docs/tasks/tools/install-kubectl))

+- `helm`: Kubernetes package manager ([installation instructions](https://github.com/helm/helm/releases/latest))

+- `jq`: Command-line JSON processor ([installation instructions](https://stedolan.github.io/jq/download/))

+## Create an identity

+Use the following steps to create a Microsoft Entra [service principal object](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object).

+1. Create an Active Directory service principal, which includes an [Azure role-based access control (RBAC)](../role-based-access-control/overview.md) role:

+ Record the `appId` and `password` values from the JSON output. You'll use them in the next steps.

+1. Use the `appId` value from the previous command's output to get the `id` of the new service principal:

+ The output of this command is `objectId`. Record this value, because you'll use it in the next step.

+1. Create the parameter file that you'll use in the Azure Resource Manager template (ARM template) deployment:

+ To deploy a Kubernetes RBAC-enabled cluster, set `aksEnableRBAC` to `true`.

+## Deploy components

+The following procedure adds these components to your subscription:

+- [Azure Kubernetes Service (AKS)](/azure/aks/intro-kubernetes)

+- [Azure Application Gateway](./overview.md) v2

+- [Azure Virtual Network](../virtual-network/virtual-networks-overview.md) with two [subnets](../virtual-network/virtual-networks-overview.md)

+- [Public IP address](../virtual-network/ip-services/virtual-network-public-ip-address.md)

+- [Managed identity](../active-directory/managed-identities-azure-resources/overview.md), which [Microsoft Entra Pod Identity](https://github.com/Azure/aad-pod-identity/blob/master/README.md) will use.

+To deploy the components:

+1. Download the ARM template:

+1. Deploy the ARM template by using the Azure CLI, and modify it as needed. The deployment might take up to 5 minutes.

+1. After the deployment finishes, download the deployment output into a file named `deployment-outputs.json`:

+## Set up AGIC

+With the instructions in the previous section, you created and configured a new AKS cluster and an Application Gateway instance. You're now ready to deploy a sample app and an ingress controller to your new Kubernetes infrastructure.

+### Set up Kubernetes credentials

+For the following steps, you need to set up the [kubectl](https://kubectl.docs.kubernetes.io/) command, which you'll use to connect to your new Kubernetes cluster. [Cloud Shell](https://shell.azure.com/) has `kubectl` already installed. You'll use `az` (Azure CLI) to obtain credentials for Kubernetes.

+Get credentials for your newly deployed AKS instance. For more information about the following commands, see [Use Azure RBAC for Kubernetes authorization with kubectl](/azure/aks/manage-azure-rbac#use-azure-rbac-for-kubernetes-authorization-with-kubectl).

+# use the deployment-outputs.json file created after deployment to get the cluster name and resource group name

+[Microsoft Entra Pod Identity](https://github.com/Azure/aad-pod-identity) provides token-based access to [Azure Resource Manager](../azure-resource-manager/management/overview.md).

+Microsoft Entra Pod Identity adds the following components to your Kubernetes cluster:

+- Kubernetes [custom resource definitions (CRDs)](https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/): `AzureIdentity`, `AzureAssignedIdentity`, `AzureIdentityBinding`

+- [Managed Identity Controller (MIC)](https://github.com/Azure/aad-pod-identity#managed-identity-controllermic) component

+- [Node Managed Identity (NMI)](https://github.com/Azure/aad-pod-identity#node-managed-identitynmi) component

+To install Microsoft Entra Pod Identity to your cluster, use one of the following commands:

+- Kubernetes RBAC-enabled AKS cluster:

+ ```bash

+ kubectl create -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml

+ ```

+- Kubernetes RBAC-disabled AKS cluster:

+ ```bash

+ kubectl create -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment.yaml

+ ```

+### Add the Helm repository

+[Helm](/azure/aks/kubernetes-helm) is a package manager for Kubernetes. You use it to install the `application-gateway-kubernetes-ingress` package.

+If you use [Cloud Shell](https://shell.azure.com/), you don't need to install Helm. Cloud Shell comes with Helm version 3. Run one of the following commands to add the AGIC Helm repository:

+- Kubernetes RBAC-enabled AKS cluster:

+ ```bash

+ kubectl create serviceaccount --namespace kube-system tiller-sa

+ kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller-sa

+ helm init --tiller-namespace kube-system --service-account tiller-sa

+ ```

+- Kubernetes RBAC-disabled AKS cluster:

+ ```bash

+ helm init

+ ```

+### Install the ingress controller's Helm chart

+1. Use the `deployment-outputs.json` file that you created earlier to create the following variables:

+1. Download `helm-config.yaml`, which configures AGIC:

+ Or copy the following YAML file:

+ # result in Ingress Controller observing all accessible namespaces.

+1. Edit the newly downloaded `helm-config.yaml` file and fill out the sections for `appgw` and `armAuth`:

+ > If you're deploying to a sovereign cloud (for example, Azure Government), you must add the `appgw.environment` configuration parameter and set it to the appropriate value.

+ Here are the values:

+ - `verbosityLevel`: Sets the verbosity level of the AGIC logging infrastructure. For possible values, see [Logging levels](https://github.com/Azure/application-gateway-kubernetes-ingress/blob/463a87213bbc3106af6fce0f4023477216d2ad78/docs/troubleshooting.md#logging-levels).

+ - `appgw.environment`: Sets the cloud environment. Possible values: `AZURECHINACLOUD`, `AZUREGERMANCLOUD`, `AZUREPUBLICCLOUD`, `AZUREUSGOVERNMENTCLOUD`.

+ - `appgw.subscriptionId`: The Azure subscription ID in which Application Gateway resides. Example: `a123b234-a3b4-557d-b2df-a0bc12de1234`.

+ - `appgw.resourceGroup`: Name of the Azure resource group in which you created the Application Gateway instance. Example: `app-gw-resource-group`.

+ - `appgw.name`: Name of the Application Gateway instance. Example: `applicationgatewayd0f0`.

+ - `appgw.shared`: Boolean flag that defaults to `false`. Set it to `true` if you need a [shared Application Gateway instance](https://github.com/Azure/application-gateway-kubernetes-ingress/blob/072626cb4e37f7b7a1b0c4578c38d1eadc3e8701/docs/setup/install-existing.md#multi-cluster--shared-app-gateway).

+ - `kubernetes.watchNamespace`: Specifies the namespace that AGIC should watch. The namespace value can be a single string value or a comma-separated list of namespaces.

+ - `armAuth.type`: Could be `aadPodIdentity` or `servicePrincipal`.

+ - `armAuth.identityResourceID`: Resource ID of the Azure managed identity.

+ - `armAuth.identityClientID`: Client ID of the identity.

+ - `armAuth.secretJSON`: Needed only when you choose a service principal as the secret type (that is, when you set `armAuth.type` to `servicePrincipal`).

+ > You created the `identityResourceID` and `identityClientID` values during the earlier steps for [deploying components](ingress-controller-install-new.md#deploy-components). You can obtain them again by using the following command:

+ >

+ >

+ > In the command, `<resource-group>` is the resource group of your Application Gateway instance. The `<identity-name>` placeholder is the name of the created identity. You can list all identities for a particular subscription by using `az identity list`.

+1. Install the AGIC package:

+## Install a sample app

+Now that you have Application Gateway, AKS, and AGIC installed, you can install a sample app via [Azure Cloud Shell](https://shell.azure.com/):

+Alternatively, you can:

+- Download the preceding YAML file:

+- Apply the YAML file:

+## Related content

+- For more examples on how to expose an AKS service to the internet via HTTP or HTTPS by using Application Gateway, see [this how-to guide](ingress-controller-expose-service-over-http-https.md).

+- For information about Application Gateway for Containers, see [this overview article](for-containers/overview.md).

+ Title: Use Let's Encrypt certificates with Application Gateway

+description: This article provides information on how to obtain a certificate from Let's Encrypt and use it on your Application Gateway instance for AKS clusters.

+# Use Let's Encrypt certificates on Application Gateway for AKS clusters

+You can configure your Azure Kubernetes Service (AKS) instance to use [Let's Encrypt](https://letsencrypt.org/) and automatically obtain a TLS/SSL certificate for your domain. The certificate is installed on Azure Application Gateway, which performs TLS/SSL termination for your AKS cluster.

+The setup that this article describes uses the [cert-manager](https://github.com/jetstack/cert-manager) Kubernetes add-on, which automates the creation and management of certificates.

+## Install the add-on

+Use the following steps to install [cert-manager](https://docs.cert-manager.io) on your existing AKS cluster:

+1. Run the following script to install the cert-manager Helm chart. The script performs the following actions:

+ - Creates a new `cert-manager` namespace on your AKS cluster

+ - Creates the following custom resource definitions (CRDs): `Certificate`, `Challenge`, `ClusterIssuer`, `Issuer`, `Order`

+ - Installs the cert-manager chart (from the [cert-manager site](https://cert-manager.io/docs/installation/compatibility/))

+2. Create a `ClusterIssuer` resource. Cert-manager requires this resource to represent the Let's Encrypt certificate authority that issues the signed certificate.

+ Cert-manager uses the non-namespaced `ClusterIssuer` resource to issue certificates that can be consumed from multiple namespaces. Let's Encrypt uses the ACME protocol to verify that you control a particular domain name and to issue a certificate. You can get more details on configuring `ClusterIssuer` properties in the [cert-manager documentation](https://docs.cert-manager.io/en/latest/tasks/issuers/https://docsupdatetracker.net/index.html).

+ `ClusterIssuer` instructs cert-manager to issue certificates by using the Let's Encrypt staging environment that's used for testing. (The root certificate is not present in browser/client trust stores.)

+ The default challenge type in the following YAML is `http01`. You can find other challenge types in the [Let's Encrypt documentation](https://letsencrypt.org/docs/challenge-types/).

+ In the following YAML, be sure to replace `<YOUR.EMAIL@ADDRESS>` with your information.

+ # ACME server URL for Let's Encrypt's staging environment.

+3. Create an ingress resource to expose the `guestbook` application by using the Application Gateway instance with the Let's Encrypt certificate.

+ Ensure that your Application Gateway instance has a public front-end IP configuration with a DNS name. Use the default `azure.com` domain, or provision an Azure DNS zone and then assign your own custom domain. The annotation `certmanager.k8s.io/cluster-issuer: letsencrypt-staging` tells cert-manager to process the tagged ingress resource.

+ In the following YAML, be sure to replace `<PLACEHOLDERS.COM>` with your own domain or with the Application Gateway domain (for example, `kh-aks-ingress.westeurope.cloudapp.azure.com`).

+ After a few seconds, you can access the `guestbook` service through the Application Gateway HTTPS URL by using the automatically issued Let's Encrypt certificate for staging.

+ Your browser might warn you about an invalid certificate authority. The reason is that `CN=Fake LE Intermediate X1` issued the staging certificate. This warning means that the system worked as expected and you're ready for your production certificate.

+4. After you successfully set up your staging certificate, you can switch to a production ACME server:

+ 1. Replace the staging annotation on your ingress resource with `certmanager.k8s.io/cluster-issuer: letsencrypt-prod`.

+ 1. Delete the existing staging `ClusterIssuer` resource that you created earlier. Create a new staging resource by replacing the ACME server from the previous `ClusterIssuer` YAML with `https://acme-v02.api.letsencrypt.org/directory`.

+Before the Let's Encrypt certificate expires, `cert-manager` automatically updates the certificate in the Kubernetes secret store. At that point, the Application Gateway Ingress Controller applies the updated secret referenced in the ingress resources that it's using to configure Application Gateway.

+## Related content

+- [What is Application Gateway for Containers?](for-containers/overview.md)

+ Title: Enable multiple-namespace support for Application Gateway Ingress Controller

+description: This article provides information on how to enable support for multiple namespaces in a Kubernetes cluster by using the Application Gateway Ingress Controller.

+# Enable multiple-namespace support in an AKS cluster by using AGIC

+[Kubernetes namespaces](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) make it possible for a Kubernetes cluster to be partitioned and allocated to subgroups of a larger team. These subgroups can then deploy and manage infrastructure with finer controls of resources, security, and configuration. Kubernetes allows for one or more ingress resources to be defined independently within each namespace.

+As of version 0.7, the [Application Gateway Kubernetes Ingress Controller](https://github.com/Azure/application-gateway-kubernetes-ingress/blob/master/README.md) (AGIC) can ingest events from and observe multiple namespaces. If an Azure Kubernetes Service (AKS) administrator decides to use [Azure Application Gateway](https://azure.microsoft.com/services/application-gateway/) as an ingress, all namespaces use the same instance of Application Gateway. A single installation of AGIC monitors accessible namespaces and configures the Application Gateway instance that it's associated with.

+Version 0.7 of AGIC continues to exclusively observe the `default` namespace, unless you explicitly change it to one or more different namespaces in the Helm configuration.

+## Enable multiple-namespace support

+1. Modify the [helm-config.yaml](#sample-helm-configuration-file) file in one of the following ways:

+ - Delete the `watchNamespace` key entirely from [helm-config.yaml](#sample-helm-configuration-file). AGIC observes all namespaces.

+ - Set `watchNamespace` to an empty string. AGIC observes all namespaces.

+ - Add multiple namespaces separated by a comma (for example, `watchNamespace: default,secondNamespace`). AGIC observes these namespaces exclusively.

+2. Apply Helm template changes by running `helm install -f helm-config.yaml application-gateway-kubernetes-ingress/ingress-azure`.

+After you deploy AGIC with the ability to observe multiple namespaces, it performs the following actions:

+- Lists ingress resources from all accessible namespaces

+- Filters to ingress resources annotated with `kubernetes.io/ingress.class: azure/application-gateway`

+- Composes a combined [Application Gateway configuration](https://github.com/Azure/azure-sdk-for-go/blob/37f3f4162dfce955ef5225ead57216cf8c1b2c70/services/network/mgmt/2016-06-01/network/models.go#L1710-L1744)

+- Applies the configuration to the associated Application Gateway instance via [Azure Resource Manager](../azure-resource-manager/management/overview.md)

+## Handle conflicting configurations

+Multiple-namespaced [ingress resources](https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource) could instruct AGIC to create conflicting configurations for a single Application Gateway instance. That is, two ingresses could claim the same domain for an instance.

+At the top of the hierarchy, AGIC could create *listeners* (IP address, port, and host) and *routing rules* (binding listener, back-end pool, and HTTP settings). Multiple namespaces and ingresses could share them.

+On the other hand, AGIC could create paths, back-end pools, HTTP settings, and TLS certificates for one namespace only and remove duplicates.

+For example, consider the following duplicate ingress resources defined in the `staging` and `production` namespaces for `www.contoso.com`:

+Despite the two ingress resources demanding traffic for `www.contoso.com` to be routed to the respective Kubernetes namespaces, only one back end can service the traffic. AGIC creates a configuration on a "first in, first out" basis for one of the resources. If two ingress resources are created at the same time, the one earlier in the alphabet takes precedence. Based on this property, AGIC creates settings for the `production` ingress. Application Gateway is configured with the following resources:

+- Listener: `fl-www.contoso.com-80`

+- Routing rule: `rr-www.contoso.com-80`

+- Back-end pool: `pool-production-contoso-web-service-80-bp-80`

+- HTTP settings: `bp-production-contoso-web-service-80-80-websocket-ingress`

+- Health probe: `pb-production-contoso-web-service-80-websocket-ingress`

+> Except for *listener* and *routing rule*, the created Application Gateway resources include the name of the namespace (`production`) for which AGIC created them.

+If the two ingress resources are introduced into the AKS cluster at different points in time, AGIC is likely to end up in a scenario where it reconfigures Application Gateway and reroutes traffic from `namespace-B` to `namespace-A`.

+For example, if you add `staging` first, AGIC configures Application Gateway to route traffic to the staging back-end pool. At a later stage, introducing `production` ingress causes AGIC to reprogram Application Gateway, which starts routing traffic to the `production` back-end pool.

+## Restrict access to namespaces

+By default, AGIC configures Application Gateway based on annotated ingress within any namespace. If you want to limit this behavior, you have the following options:

+- Limit the namespaces by explicitly defining namespaces that AGIC should observe via the `watchNamespace` YAML key in [helm-config.yaml](#sample-helm-configuration-file).

+- Use [Role and RoleBinding objects](/azure/aks/azure-ad-rbac) to limit AGIC to specific namespaces.

+## Sample Helm configuration file

+ # result in Ingress Controller observing all accessible namespaces.

+```

+## Related content

+- [What is Application Gateway for Containers?](for-containers/overview.md)

+description: This article provides information on how to use private IPs for internal routing to expose the ingress endpoint within a cluster to the rest of the virtual network.

+# Use a private IP for internal routing for an ingress endpoint

+You can use a private IP address for internal routing to expose an ingress endpoint within a cluster to the rest of a virtual network.

+There are two ways to configure a controller to use a private IP for ingress: assigning the private IP to a particular ingress or assigning it globally.

+To complete the tasks in this article, you need Azure Application Gateway with a [private IP configuration](./configure-application-gateway-with-private-frontend-ip.md).

+To expose a particular ingress over private IP, use the annotation [`appgw.ingress.kubernetes.io/use-private-ip`](./ingress-controller-annotations.md#use-private-ip) in the ingress:

+For Application Gateway instances without a private IP, ingresses annotated with `appgw.ingress.kubernetes.io/use-private-ip: "true"` are ignored. The ingress event and the Application Gateway Ingress Controller (AGIC) pod log indicate this problem:

+- Here's the error as indicated in the ingress event:

+- Here's the error as indicated in AGIC logs:

+## Assign globally

+If you need to restrict all ingresses to be exposed over private IP, use `appgw.usePrivateIP: true` in the `helm` configuration:

+This code makes the ingress controller filter the IP address configurations for a private IP when it's configuring the front-end listeners on the Application Gateway instance. AGIC can stop working if the value of `usePrivateIP` is `true` and no private IP is assigned.

+> Application Gateway v2 requires a public IP. If you require Application Gateway to be private, attach a [network security group](../virtual-network/network-security-groups-overview.md) to the Application Gateway instance's subnet to restrict traffic.

+## Related content

+- [What is Application Gateway for Containers?](for-containers/overview.md)

+description: This article provides information on how to upgrade an Application Gateway Ingress Controller by using Helm.

+# Upgrade AGIC by using Helm

+You can upgrade the Azure Application Gateway Ingress Controller (AGIC) for Kubernetes by using a Helm repository hosted on Azure Storage.

+## Add the repository

+Before you begin the upgrade procedure, ensure that you've added the required repository:

+1. View your currently added Helm repositories:

+1. If necessary, add the AGIC repository:

+ The latest available version from the preceding list is `0.7.0-rc1`.

+1. View the currently installed Helm charts:

+ The Helm chart installation from the preceding sample response is named `odd-billygoat`. This article uses that name for the commands. Your actual deployment name will be different.

+## Roll back

+If the Helm deployment fails, you can roll back to a previous release:

+1. Get the number of the last known healthy release:

+ Based on the sample output of the `helm history` command, the last successful deployment of the `odd-billygoat` example was revision `1`.

+## Related content

+- [What is Application Gateway for Containers?](for-containers/overview.md)

+| [PowerShell](#powershell-runbooks) |Textual runbook based on Windows PowerShell scripting. The currently supported versions are: PowerShell 7.2 (GA) and PowerShell 5.1 (GA). Since [PowerShell 7.1](/powershell/scripting/install/powershell-support-lifecycle?view=powershell-7.3&preserve-view=true#powershell-end-of-support-dates) is no longer supported by parent product PowerShell, we recommend that you to create runbooks in long term supported version PowerShell 7.2 |

+| [Python](#python-runbooks) |Textual runbook based on Python scripting. The currently supported versions are: Python 3.8 (GA) and Python 3.10 (preview). Since [Python 2.7](https://devguide.python.org/versions/) is no longer supported by parent product Python, we recommend that you to create runbooks in long term supported versions. |

+> Azure Automation will follow the support lifecycle of PowerShell and Python language versions in accordance with the timelines published by parent products [PowerShell](/powershell/scripting/install/powershell-support-lifecycle?view=powershell-7.3&preserve-view=true#powershell-end-of-support-dates) and [Python](https://devguide.python.org/versions/) respectively. We recommend that you to use runbooks with supported language versions.

+> Starting November 1, 2024, the TLS 1.2 requirement will be enforced.

+| Starting November 1, 2024 | Minimum TLS version for all cache instances is updated to 1.2. This means Azure Cache for Redis instances reject connections using TLS 1.0 or 1.1 at this point. |

+| Windows | .NET 9 Preview 6^{1, 2} |

+| Linux | .NET 9 RC2^{1, 3} |

+² Support for Windows might not appear in some clients during the preview period.

+³ .NET 9 is not yet supported on the Flex Consumption SKU.

+To add the PMTiles protocol, hook the data source with the specified protocol URI scheme. The following sample uses the [Overture] building dataset to add building data over the basemap.

+PMTiles are added as a map source during the map event. Once added, the specified URI scheme is available to the Azure Maps Web SDK. In the following sample, the PMTiles URL is added as a `VectorTileSource`.

+[Azure Maps Creator onboarding tool]: https://azure.github.io/azure-maps-creator-onboarding-tool

+To use Azure NetApp Files, you need to register the NetApp Resource Provider.

+1. From the Azure portal, select the Azure Cloud Shell icon on the upper right-hand corner:

+4. Verify that the Azure Resource Provider has been registered. To verify, enter the following command in the Azure Cloud Shell console:

+ `<SubID>` is your subscription ID. The `state` parameter value indicates `Registered`.

+5. From the Azure portal, select **Subscriptions**.

+6. From Subscriptions, select your subscription ID.

+7. In the settings of the subscription, select **Resource providers** to verify that Microsoft.NetApp Provider indicates the Registered status:

+For more information about the Azure File Migration Program, see [Migrate the critical file data you need to power your applications](https://techcommunity.microsoft.com/t5/azure-storage-blog/migrate-the-critical-file-data-you-need-to-power-your/ba-p/3038751). Also, see [Azure Storage migration tools comparison - Unstructured data](../storage/solution-integration/validated-partners/data-management/migration-tools-comparison.md).

+- Validate network connectivity between the source and the Azure NetApp Files target volume IP address. Data transfer between on premises and the Azure NetApp Files service is supported over ExpressRoute. The virtual machine running that the data transfer tool runs on should have access to both the source and destination volumes.

+Azure NetApp Files provides NFS and SMB volumes. Any file based-copy tool can be used to replicate data between Azure regions.

+The [cross-region replication](cross-region-replication-introduction.md) functionality enables you to asynchronously replicate data from an Azure NetApp Files volume (source) in one region to another Azure NetApp Files volume (destination) in another region. Additionally, you can [create a new volume by using a snapshot of an existing volume](snapshots-restore-new-volume.md).

+NetApp offers a SaaS based solution, [NetApp Cloud Sync](https://cloud.netapp.com/cloud-sync-service). The solution enables you to replicate NFS or SMB data to Azure NetApp Files NFS exports or SMB shares.

+You can also use a wide array of free tools to copy data. For NFS, you can use workloads tools such as [rsync](https://rsync.samba.org/examples.html) to copy and synchronize source data into an Azure NetApp Files volume. For SMB, you can use workloads [robocopy](/windows-server/administration/windows-commands/robocopy) in the same manner. These tools can also replicate file or folder permissions.

+ `az vmware datastore netapp-volume create --name MyDatastore1 --resource-group MyResourceGroup ΓÇô-cluster Cluster-1 --private-cloud MyPrivateCloud ΓÇô-net-app-volume /subscriptions/<Subscription Id>/resourceGroups/<Resourcegroup name>/providers/Microsoft.NetApp/netAppAccounts/<Account name>/capacityPools/<pool name>/volumes/<Volume name>`

+ --net-app-volume /subscriptions/<subscription ID>/resourceGroups/<resource group>/providers/Microsoft.NetApp/netAppAccounts/<NetApp account>/capacityPools/<changed capacity pool>/volumes/<volume name>

+* FIPS encryption is currently not supported with SQL backup workloads.

+ Title: Call setup issues - The call ends due to network issues

+description: Learn how to troubleshoot when the call ends with 410/3112

+# The call ends with 410/3112

+The reason why call ends with 410/3112 error is the client isn't able to reach out to the other endpoint and no relay candidates are gathered.

+This 410/3112 error code can happen when the media path can't be established due to network issues, firewall restrictions, or incorrect configuration settings.

+Therefore, the peers were unable to establish a direct or relay connection.

+The relay candidates aren't necessary if the client is able to establish a direct connection to the other peer.

+However, when WebRTC fails to gather relay candidates, it often indicates an issue with TURN (Traversal Using Relays around NAT) server configuration or network restrictions.

+Relay candidates are crucial for establishing connections in restrictive network environments.

+## How to detect using the SDK

+You can learn the reason for the call ending using the following code snippet.

+```javascript

+call.on('stateChanged', () => {

+ if (call.state === 'Disconnected') {

+ if (call.callEndReason.code === 410 && call.callEndReason.subCode === 3112) {

+ // show error message

+ }

+ }

+});

+```

+To understand the codes and subcodes, see [Understanding calling codes and subcodes errors](../general-troubleshooting-strategies/understanding-error-codes.md).

+When the media path can't be established, the call terminates with code 410 and subcode 3112.

+The SDK also triggers [networkRelaysNotReachable UFD](../references/ufd/network-relays-not-reachable.md) event.

+Here's a code snippet showing how to capture the `networkRelaysNotReachable UFD` event.

+```javascript

+call.feature(Features.UserFacingDiagnostics).network.on('diagnosticChanged', (diagnosticInfo) => {

+ if (diagnosticInfo.diagnostic === 'networkRelaysNotReachable') {

+ if (diagnosticInfo.value === true) {

+ // show a warning message on UI

+ } else {

+ // The networkRelaysNotReachable UFD recovered, notify the user

+ }

+ }

+});

+```

+## How to analyze the issue with Log Analytics or Call Diagnostics tool

+When a user reports that they're unable to make a call, you can use the [Call Diagnostics](../../../../concepts/voice-video-calling/call-diagnostics.md) tool to analyze the reason for the failure.

+To debug user calls, you need the [call ID](../references/how-to-collect-call-info.md).

+If the user's call failed because the firewall blocked the relay connection, you can find the end code and subcode to be 410 and 3112 on the overview page of the call.

+Additionally, you can also find [networkRelaysNotReachable UFD](../references/ufd/network-relays-not-reachable.md) event on the call issues page.

+To understand the timing of user actions or events, you can check the details on the timeline page.

+In this example, the user got `networkRelaysNotReachable UFD` event at 16:41:47 and call state change event at 16:41:49.

+The [Call Diagnostics](../../../../concepts/voice-video-calling/call-diagnostics.md) tool gives you an overview and the necessary information for debugging a single call.

+If you want to understand how many users encounter this issue, or how often users experience the problem, you can use the [Log Analytics](../../../../concepts/analytics/logs/voice-and-video-logs.md) tool to gain the insights on this issue.

+For example, if you want to get the call ID that were disconnected with subcode 3112 in the last seven days, you can execute this query:

+```kusto

+ACSCallSummary

+| where ParticipantEndSubCode == 3112

+| project TimeGenerated, CorrelationId, ParticipantId, Identifier, CallType

+```

+You can also render a timechart to understand the daily number of calls ending with subcode 3112

+```kusto

+ACSCallSummary

+| where ParticipantEndSubCode == 3112

+| summarize count() by bin(TimeGenerated, 1d)

+| render timechart

+```

+The time chart only provides an overview of the users under the same ACS resource ID.

+By running more specific queries, you can identify patterns or anomalies that aren't immediately apparent from the time chart alone, helping you pinpoint the root cause of any issues more accurately.

+For example, if you see a spike in the number of calls ending with subcode 3112, it could be due to the high volume of calls while the occurrence ratio of the problem remained the same. Alternatively, the spike might be attributed to a particular user who retried many times and all attempts were failed with subcode 3112.

+In this query, we analyze the data based on the user identifiers, assuming that the app maintains the same user identifier for each individual.

+```kusto

+ACSCallSummary

+| summarize Total = count(), SuccessCount = countif(ParticipantEndSubCode == 0), SubCode3112Count = countif(ParticipantEndSubCode == 3112) by Identifier

+| where SubCode3112Count > 0

+| order by SubCode3112Count desc

+```

+In this example, one user had a total of 180 calls, of which 160 calls were successful and only two calls failed with subcode 3112.

+This pattern suggests a transient network issue, which may be resolved by retrying.

+On the other hand, another user had a total of six calls, all of which failed with subcode 3112.

+This consistency in subcode value indicates a likely network configuration issue for that user, where retrying is unlikely to help.

+## How to mitigate or resolve

+If you find a user consistently experiences 410/3112 error, you should recommend that they check their firewall settings.

+Users should follow the *Firewall Configuration* guideline mentioned in the [Network recommendations](../../../../concepts/voice-video-calling/network-requirements.md) document.

+Ensure that the user or administrator checks their Network Address Translation (NAT) settings and verifies whether their firewall policy blocks User Datagram Protocol (UDP) packets.

+The firewall settings aren't limited to the user's computer; if the user is in a corporate environment, the company's firewall may also need to be configured.

+Furthermore, if the application uses [custom TURN servers](../../../../tutorials/proxy-calling-support-tutorial.md),

+ensure that specified IP, port, and protocol aren't blocked by any firewall.

+For application, it's important to handle events from the [User Facing Diagnostics Feature](../../../../concepts/voice-video-calling/user-facing-diagnostics.md) and notify the users accordingly.

+By doing so, the user is aware of the issue and can troubleshoot their network environment.

+In rare cases, this error code appears randomly even if the user's firewall settings are correct.

+If the same user was previously able to connect and call successfully, this problem could be due to changes in network conditions.

+It may be a temporary issue. Try to start or join the call again.

+## References

+* [Network recommendations](../../../../concepts/voice-video-calling/network-requirements.md)

+* [networkRelaysNotReachable UFD](../references/ufd/network-relays-not-reachable.md)

+* [Force calling traffic to be proxied across your own server](../../../../tutorials/proxy-calling-support-tutorial.md)

+### The call ends with specific codes/sub codes

+* The call ends with 410/3112 error due to network issues

+The [Cost Details](/rest/api/cost-management/generate-cost-details-report/create-operation?view=rest-cost-management-2023-11-01&tabs=HTTP) API and [Exports](/rest/api/cost-management/exports/create-or-update?view=rest-cost-management-2023-11-01&tabs=HTTP) support cost allocation data. However, the [Usage Details](/rest/api/consumption/usagedetails/list) API doesn't support cost allocation data.

+ - Built-in views (for example, Accumulated costs, Daily costs, or Cost by service) can't be changed.

+ - The currency is displayed as USD on subscribed e-mail if creating email setting by using Built-in views.

+ - If you need to change the date range, currency, amortization, or any other setting, you need to save that as a private or shared view.

+If your enterprise administrator can't assist you, create an [Azure support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest). Provide the following information:

+ :::image type="content" border="true" source="./media/microsoft-customer-agreement-setup-account/ea-microsoft-customer-agreement-set-up-wizard.png" alt-text="Screenshot that shows the setup wizard." lightbox="./media/microsoft-customer-agreement-setup-account/ea-microsoft-customer-agreement-set-up-wizard.png":::

+ :::image type="content" border="true" source="./media/microsoft-customer-agreement-setup-account/ea-microsoft-customer-agreement-set-up-status.png" alt-text="Screenshot that shows the transition status." lightbox="./media/microsoft-customer-agreement-setup-account/ea-microsoft-customer-agreement-set-up-status.png":::

+ :::image type="content" border="true" source="./media/microsoft-customer-agreement-setup-account/search-cmb.png" alt-text="Screenshot that shows Azure portal search." lightbox="./media/microsoft-customer-agreement-setup-account/search-cmb.png":::

+ :::image type="content" border="true" source="./media/microsoft-customer-agreement-setup-account/microsoft-customer-agreement-subscriptions-post-transition.png" alt-text="Screenshot that shows a list of subscriptions." lightbox="./media/microsoft-customer-agreement-setup-account/microsoft-customer-agreement-subscriptions-post-transition.png":::

+ :::image type="content" border="true" source="./media/microsoft-customer-agreement-setup-account/search-cmb.png" alt-text="Screenshot that shows Azure portal search." lightbox="./media/microsoft-customer-agreement-setup-account/search-cmb.png":::

+ :::image type="content" border="true" source="./media/microsoft-customer-agreement-setup-account/microsoft-customer-agreement-ea-admins-ba-access-post-transition.png" alt-text="Screenshot that shows access of enterprise administrators listed as billing account owners post transition." lightbox="./media/microsoft-customer-agreement-setup-account/microsoft-customer-agreement-ea-admins-ba-access-post-transition.png":::

+ :::image type="content" border="true" source="./media/microsoft-customer-agreement-setup-account/search-cmb.png" alt-text="Screenshot that shows Azure portal search." lightbox="./media/microsoft-customer-agreement-setup-account/search-cmb.png":::

+ :::image type="content" border="true" source="./media/microsoft-customer-agreement-setup-account/microsoft-customer-agreement-ea-admins-bp-access-post-transition.png" alt-text="Screenshot that shows the access of enterprise administrators listed as billing profile owners post transition." lightbox="./media/microsoft-customer-agreement-setup-account/microsoft-customer-agreement-ea-admins-bp-access-post-transition.png":::

+ :::image type="content" border="true" source="./media/microsoft-customer-agreement-setup-account/search-cmb.png" alt-text="Screenshot that shows Azure portal search." lightbox="./media/microsoft-customer-agreement-setup-account/search-cmb.png":::

+ :::image type="content" border="true" source="./media/microsoft-customer-agreement-setup-account/microsoft-customer-agreement-invoice-sections-post-transition.png" alt-text="Screenshot that shows a list of invoice section post transition." lightbox="./media/microsoft-customer-agreement-setup-account/microsoft-customer-agreement-invoice-sections-post-transition.png":::

+ :::image type="content" border="true" source="./media/microsoft-customer-agreement-setup-account/microsoft-customer-agreement-department-account-admins-access-post-transition.png" alt-text="Screenshot that shows access of department and account admins post transition." lightbox="./media/microsoft-customer-agreement-setup-account/microsoft-customer-agreement-department-account-admins-access-post-transition.png":::

+When you buy a reservation, the current UTC date and time are used to record the transaction.

+When you buy a reservation, the current UTC date and time are used to record the transaction.

+| [Salesforce (legacy)](connector-salesforce-legacy.md)   | [Link](connector-salesforce.md#upgrade-the-salesforce-linked-service) | End of support announced and new version available | To be determined | /|

+| [Salesforce Service Cloud (legacy)](connector-salesforce-service-cloud-legacy.md)   | [Link](connector-salesforce-service-cloud.md#upgrade-the-salesforce-service-cloud-linked-service) | End of support announced and new version available | To be determined |/ |

+| [Snowflake (legacy)](connector-snowflake-legacy.md)   | [Link](connector-snowflake.md#upgrade-the-snowflake-linked-service) | End of support announced and new version available | To be determined | / |

+>The new Salesforce connector provides improved native Salesforce support. If you are using the legacy Salesforce connector in your solution, you are recommended to [upgrade your Salesforce connector](connector-salesforce.md#upgrade-the-salesforce-linked-service) at your earliest convenience. Refer to this [section](connector-salesforce.md#differences-between-salesforce-and-salesforce-legacy) for details on the difference between the legacy and latest version.

+>The new Salesforce Service Cloud connector provides improved native Salesforce Service Cloud support. If you are using the legacy Salesforce Service Cloud connector in your solution, you are recommended to [upgrade your Salesforce Service Cloud connector](connector-salesforce-service-cloud.md#upgrade-the-salesforce-service-cloud-linked-service) at your earliest convenience. Refer to this [section](connector-salesforce-service-cloud.md#differences-between-salesforce-service-cloud-and-salesforce-service-cloud-legacy) for details on the difference between the legacy and latest version.

+>The new Salesforce Service Cloud connector provides improved native Salesforce Service Cloud support. If you are using the legacy Salesforce Service Cloud connector in your solution, you are recommended to [upgrade your Salesforce Service Cloud connector](#upgrade-the-salesforce-service-cloud-linked-service) at your earliest convenience. Refer to this [section](#differences-between-salesforce-service-cloud-and-salesforce-service-cloud-legacy) for details on the difference between the legacy and latest version.

+>The new Salesforce connector provides improved native Salesforce support. If you are using the legacy Salesforce connector in your solution, you are recommended to [upgrade your Salesforce connector](#upgrade-the-salesforce-linked-service) at your earliest convenience. Refer to this [section](#differences-between-salesforce-and-salesforce-legacy) for details on the difference between the legacy and latest version.

+>The new Snowflake connector provides improved native Snowflake support. If you are using the legacy Snowflake connector in your solution, you are recommended to [upgrade your Snowflake connector](connector-snowflake.md#upgrade-the-snowflake-linked-service) at your earliest convenience. Refer to this [section](connector-snowflake.md#differences-between-snowflake-and-snowflake-legacy) for details on the difference between the legacy and latest version.

+>The new Snowflake connector provides improved native Snowflake support. If you are using the legacy Snowflake connector in your solution, you are recommended to [upgrade your Snowflake connector](#upgrade-the-snowflake-linked-service) at your earliest convenience. Refer to this [section](#differences-between-snowflake-and-snowflake-legacy) for details on the difference between the legacy and latest version.

+For example, select **Manage report** to update the data your report includes by using the same fields.

+Azure Firewall has two new diagnostic logs that can help monitor your firewall, but these logs currently do not show application rule details.

+ Id : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/myAFDResourceGroup/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/myClassicFrontDoorWAF

+ $wafMapping = New-AzFrontDoorCdnMigrationWebApplicationFirewallMappingObject -MigratedFromId /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/myAFDResourceGroup/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/myClassicFrontDoorWAF -MigratedToId /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/myAFDResourceGroup/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/myFrontDoorWAF

+Start-AzFrontDoorCdnProfilePrepareMigration -ResourceGroupName myAFDResourceGroup -ClassicResourceReferenceId /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/myAFDResourceGroup/providers/Microsoft.Network/Frontdoors/myAzureFrontDoorClassic -ProfileName myAzureFrontDoor -SkuName Premium_AzureFrontDoor -IdentityType SystemAssigned

+ /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/myAFDResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/afduseridentity

+ Start-AzFrontDoorCdnProfilePrepareMigration -ResourceGroupName <resourceGroupName> -ClassicResourceReferenceId /subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>/providers/Microsoft.Network/frontdoors/<frontdoorClassicName> -ProfileName myAzureFrontDoor -SkuName Premium_AzureFrontDoor -IdentityType UserAssigned -IdentityUserAssignedIdentity @{"/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/afduseridentity" = @{}}

+ Id : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/myAFDResourceGroup/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/myClassicFrontDoorWAF

+ $wafMapping1 = New-AzFrontDoorCdnMigrationWebApplicationFirewallMappingObject -MigratedFromId /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/myAFDResourceGroup/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/myClassicFrontDoorWAF1 -MigratedToId /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/myAFDResourceGroup/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/myFrontDoorWAF1

+ $wafMapping2 = New-AzFrontDoorCdnMigrationWebApplicationFirewallMappingObject -MigratedFromId /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/myAFDResourceGroup/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/myClassicFrontDoorWAF2 -MigratedToId /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/myAFDResourceGroup/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/myFrontDoorWAF2

+ /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/myAFDResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/afduseridentity1

+ /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/myAFDResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/afduseridentity2

+ "subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/afduseridentity1" = @{}}

+ "subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/afduseridentity2" = @{}}

+|[mv-expand](/azure/data-explorer/kusto/query/mvexpandoperator) |[List Azure Cosmos DB with specific write locations](../samples/advanced.md#list-azure-cosmos-db-with-specific-write-locations) |_RowLimit_ max of 2,000. The default is 128. Limit of 3 `mv-expand` in a single query.|

+description: Learn how to use Azure Monitor logs to monitor jobs running in a HDInsight cluster.

+Learn how to enable Azure Monitor logs to monitor Hadoop cluster operations in HDInsight. And how to add a HDInsight monitoring solution.

+ For the instructions on how to create a HDInsight cluster, see [Get started with Azure HDInsight](hadoop/apache-hadoop-linux-tutorial-get-started.md).

+* If using PowerShell, you need the [Az Module](/powershell/azure/). Ensure you have the latest version. If necessary, run `Update-Module -Name Az`.

+ For the instructions on how to create a HDInsight cluster, see [Get started with Azure HDInsight](hadoop/apache-hadoop-linux-tutorial-get-started.md).

+To use the new Azure Monitor integration, enable it by selecting **Monitor integration** from the **Monitoring** section in the left menu of your HDInsight Azure portal page. You can also use PowerShell or Azure CLI to enable and interact with the new monitoring integration. For more information, see the following article:

+- [Use Azure Monitor Agent to monitor HDInsight clusters](azure-monitor-agent.md)

+For instructions on how to create a HDInsight cluster, see [Get started with Azure HDInsight](hadoop/apache-hadoop-linux-tutorial-get-started.md).

+```azurecli

+az iot ops delete --name <INSTANCE_NAME> --resource-group <RESOURCE_GROUP> --include-deps

+* The latest version of the following extensions for Azure CLI:

+ az extension add --upgrade --name connectedk8s

+- Customer requires flexible sign-in methods. DevTest Labs requires that the user exists in the Microsoft Entra ID tenant for the subscription in which the lab is hosted. Azure role-based access control (RBAC) permissions are used to control who has access to labs and VMs.

+There are no costs for using the DevTest Labs service; it's free to use. Customers are charged for resources used by the DevTest Labs service. This cost includes, but isn't limited to, the cost of storage, networking, and running time for any VMs in a lab.

+DevTest Labs is integrated into [Microsoft Cost Management](/azure/cost-management-billing/costs/overview-cost-management) for cost budgeting and analysis. To track per-lab costs, [allow tag inheritance and add tags to lab resources](/azure/devtest-labs/devtest-lab-configure-cost-management).

+**Does DevTest Labs provide quota management?**

+DevTest Labs is integrated into [Microsoft Cost Management](/azure/cost-management-billing/costs/overview-cost-management). Cost Management can [monitor costs for virtual machines](/azure/virtual-machines/cost-optimization-monitor-costs) and [automatically execute actions based on a budget](/azure/cost-management-billing/manage/cost-management-budget-scenario). There's no management of VM usage quota within the DevTest Labs service.

+- [What is a vector database](/azure/cosmos-db/vector-database#what-is-a-vector-database)

+ [!INCLUDE [logic-apps-host-plans](includes/logic-apps-host-plans.md)]

+ Title: Create Standard logic app workflows for hybrid deployment

+description: Create and deploy an example Standard logic app workflow on your own managed infrastructure, which can include on-premises, private cloud, and public cloud environments.

+ms.suite: integration

+# Customer intent: As a developer, I want to create a Standard logic app workflow that can run on customer-managed infrastructure, which can include on-premises systems, private clouds, and public clouds.

+# Create Standard logic app workflows for hybrid deployment on your own infrastructure (Preview)

+> [!NOTE]

+>

+> This capability is in preview, incurs charges for usage, and is subject to the

+> [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+For scenarios where you need to use, control, and manage your own infrastructure, you can create Standard logic app workflows using the hybrid deployment model in Azure Logic Apps. This model provides capabilities for you to build and host integration solutions for partially connected environments that require local processing, storage, and network access. Your infrastructure can include on-premises systems, private clouds, and public clouds. With the hybrid model, your Standard logic app workflow is powered by the Azure Logic Apps runtime that is hosted on premises as an Azure Container Apps extension.

+For an architectural overview that shows where Standard logic app workflows are hosted and run in a partially connected environment, see [Set up infrastructure requirements for hybrid deployment for Standard logic apps](set-up-standard-workflows-hybrid-deployment-requirements.md).

+This how-to guide shows how to create and deploy a Standard logic app workflow using the hybrid deployment model after you set up the necessary on-premises resources for hosting your app.

+## Limitations

+- Hybrid deployment for Standard logic apps is available and supported only in the [same regions as Azure Container Apps on Azure Arc-enabled AKS](../container-apps/azure-arc-overview.md#public-preview-limitations).

+- The following capabilities currently aren't available in this preview release:

+ - SAP access through the SAP built-in connector

+ - XSLT 1.0 for custom code

+ - Custom code support with .NET Framework

+ - Managed identity authentication

+ - File System connector

+- Azure Arc-enabled Kubernetes clusters currently don't support managed identity authentication for managed API connections. Instead, you must create your own app registration using Microsoft Entra ID. For more information, [follow these steps later in this guide](#authenticate-managed-api-connections).

+- Some function-based triggers, such as Azure Blob, Cosmos DB, and Event Hubs require a connection to the Azure storage account associated with your Standard logic app. If you use any function-based triggers, in your Standard logic app's environment variables in the Azure portal or in your logic app project's **local.settings.json** file in Visual Studio Code, add the following app setting and provide your storage account connection string:

+ ```json

+ "Values": {

+ "name": "AzureWebJobsStorage",

+ "value": "{storage-account-connection-string}"

+ }

+ ```

+## Prerequisites

+- An Azure account and subscription. If you don't have a subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- The following on-premises resources, which must all exist within the same network for the required connectivity:

+ - An Azure Kubernetes Service cluster that's connected to Azure Arc

+ - A SQL database to locally store workflow run history, inputs, and outputs for processing

+ - A Server Message Block (SMB) file share to locally store artifacts used by your workflows

+ To meet these requirements, [set up these on-premises resources to support hybrid deployment for Standard logic apps](set-up-standard-workflows-hybrid-deployment-requirements.md).

+- To work in Visual Studio Code, you need the Azure Logic Apps (Standard) extension for Visual Studio Code with the [related prerequisites](create-single-tenant-workflows-visual-studio-code.md#prerequisites).

+ > [!TIP]

+ >

+ > If you have a new Visual Studio Code installation, confirm that you can locally run a

+ > basic Standard workflow before you try deploying to your own infrastructure. This test

+ > run helps isolate any errors that might exist in your Standard workflow project.

+## Create your Standard logic app in the Azure portal

+After you meet the prerequisites, create your Standard logic app for hybrid deployment by following these steps:

+1. In the [Azure portal](https://portal.azure.com) search box, enter **logic apps**, and select **Logic apps**.

+1. On the **Logic apps** page toolbar, select **Add**.

+1. On the **Create Logic App** page, under **Standard**, select **Hybrid**.

+1. On the **Create Logic App (Hybrid)** page, provide the following information:

+ | Property | Required | Value | Description |

+ |-|-|-|-|

+ | **Subscription** | Yes | <*Azure-subscription-name*> | Your Azure subscription name. <br><br>This example uses **Pay-As-You-Go**. |

+ | **Resource Group** | Yes | <*Azure-resource-group-name*> | The [Azure resource group](../azure-resource-manager/management/overview.md#terminology) where you create your hybrid app and related resources. This name must be unique across regions and can contain only letters, numbers, hyphens (**-**), underscores (**_**), parentheses (**()**), and periods (**.**). <br><br>This example creates a resource group named **Hybrid-RG**. |

+ | **Logic App name** | Yes | <*logic-app-name*> | Your logic app name, which must be unique across regions and can contain only lowercase letters, numbers, or hyphens (**-**). <br><br>This example uses **my-logic-app-hybrid**. |

+ | **Region** | Yes | <*Azure-region*> | An Azure region that is [supported for Azure container apps on Azure Arc-enabled AKS](../container-apps/azure-arc-overview.md#public-preview-limitations). <br><br>This example uses **East US**. |

+ | **Container App Connected Environment** | Yes | <*connected-environment-name*> | The Arc-enabled Kubernetes cluster that you created as the deployment environment for your logic app. For more information, see [Tutorial: Enable Azure Container Apps on Azure Arc-enabled Kubernetes](../container-apps/azure-arc-enable-cluster.md). |

+ | **Configure storage settings** | Yes | Enabled or disabled | Continues to the **Storage** tab on the **Create Logic App (Hybrid)** page. |

+ The following example shows the logic app creation page in the Azure portal with sample values:

+ :::image type="content" source="media/create-standard-workflows-hybrid-deployment/create-logic-app-hybrid-portal.png" alt-text="Screenshot shows Azure portal and logic app creation page.":::

+1. On the **Storage** page, provide the following information about the storage provider and SMB file share that you previously set up:

+ | Property | Required | Value | Description |

+ |-|-|-|-|

+ | **SQL connection string** | Yes | <*sql-server-connection-string*> | The SQL Server connection string that you previously saved. For more information, see [Create SQL Server storage provider](set-up-standard-workflows-hybrid-deployment-requirements.md#create-storage-provider). |

+ | **Host name** | Yes | <*file-share-host-name*> | The host name for your SMB file share. |

+ | **File share path** | Yes | <*file-share-path*> | The file share path for your SMB file share. |

+ | **User name** | Yes | <*file-share-user-name*> | The user name for your SMB file share. |

+ | **Password** | Yes | <*file-share-password*> | The password for your SMB file share. |

+1. When you finish, select **Review + create**. Confirm the provided information, and select **Create**.

+1. After Azure completes deployment, select **Go to resource**.

+ :::image type="content" source="media/create-standard-workflows-hybrid-deployment/logic-app-hybrid-portal.png" alt-text="Screenshot shows Azure portal with Standard logic app for hybrid deployment created as a Container app.":::

+ From this view in the Azure portal, you can create, edit, and manage workflows as usual.

+ > [!NOTE]

+ >

+ > Several known issues exist in the portal around how you find your Standard logic app, which is created

+ > as a container app in this release. Your Standard logic app is also labeled differently from Standard

+ > logic apps deployed to single-tenant Azure and App Service environment v3. For more information, see

+ > [Known issues and troubleshooting - Azure portal](#known-issues-portal).

+1. To review the app settings, on the container app menu, under **Settings**, select **Containers**, and then select the **Environment variables** tab.

+ For more information about app settings and host settings, see [Edit app settings and host settings](edit-app-settings-host-settings.md).

+## Create your Standard logic app in Visual Studio Code

+After you meet the prerequisites, but before you create your Standard logic app for hybrid deployment in Visual Studio Code, confirm that the following conditions are met:

+- Your SMB file share server is accessible.

+- Port 445 is open on the computer where you run Visual Studio Code.

+1. Run Visual Studio Code as administrator.

+1. In Visual Studio Code, on the Activity Bar, select the Azure icon.

+1. In the **Workspace** section, from the toolbar, select the Azure Logic Apps icon, and then select **Create new project**.

+1. Browse to the location where you want to create the folder for your Standard logic app project. Create your project folder, select the folder, and then choose **Select**.

+1. From the workflow type list, select **Stateful Workflow** or **Stateless Workflow**. Provide a name for your workflow.

+ This example selects **Stateful Workflow** and uses **my-stateful-workflow** as the name.

+1. From the list that appears, select **Open in current window**.

+ Visual Studio Code creates and opens your logic app project to show the **workflow.json** file.

+1. From the list that appears, select **Use connectors from Azure**.

+1. From the subscription list, select your Azure subscription.

+1. From the resource group list, select **Create new resource group**. Provide a name for your resource group.

+ This example uses **Hybrid-RG**.

+1. From the location list, select an Azure region that is [supported for Azure container apps on Azure Arc-enabled AKS](../container-apps/azure-arc-overview.md#public-preview-limitations).

+ This example uses **East US**.

+1. In the **Explorer** window, open the shortcut menu for the **workflow.json** file, and select **Open Designer**.

+1. Build your workflow as usual by adding a trigger and actions. For more information, see [Build a workflow with a trigger and actions](create-workflow-with-trigger-or-action.md).

+<a name="authenticate-managed-api-connections"></a>

+## Set up authentication for managed API connections

+To authenticate managed API connections in Standard logic app workflows hosted on Azure Arc-enabled Kubernetes clusters, you must create your own app registration using Microsoft Entra ID. You can then add this app registration's values as environment variables in your Standard logic app resource to authenticate your API connections instead.

+### Create an app registration with Microsoft Entra ID

+#### [Portal](#tab/azure-portal)

+1. In the [Azure portal](https://portal.azure.com), follow [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app) to create an app registration.

+1. After creation completes, find your new app registration in the portal.

+1. On the resource menu, select **Overview**, and save the following values, which you need later for connection authentication:

+ - Client ID

+ - Tenant ID

+ - Client secret

+1. For the object ID, follow these steps:

+ 1. On the **Overview** page, select **Managed application in local directory** link for your app registration as shown:

+ :::image type="content" source="media/create-standard-workflows-hybrid-deployment/managed-application-link.png" alt-text="Screenshot shows app registration with selected link for managed application in local directory.":::

+ 1. On the page that opens, copy and save the **Object ID** value:

+ :::image type="content" source="media/create-standard-workflows-hybrid-deployment/app-registration-object-id.png" alt-text="Screenshot shows app registration with selected object ID.":::

+1. Now, [add the saved values as environment variables](#add-environment-variables) to your Standard logic app resource.

+#### [Azure CLI](#tab/azure-cli)

+1. To create the app registration, use the [**az ad sp create** command](/cli/azure/ad/sp#az-ad-sp-create).

+1. To review all the properties, use the [**az ad sp show** command](/cli/azure/ad/sp#az-ad-sp-show).

+1. In the output from both commands, find and save the following values, which you need later for connection authentication:

+ - Client ID

+ - Object ID

+ - Tenant ID

+ - Client secret

+1. Now, [add the saved values as environment variables](#add-environment-variables) to your Standard logic app resource.

+<a name="add-environment-variables"></a>

+### Add environment variable values to your Standard logic app

+1. In the [Azure portal](https://portal.azure.com), go to your Standard logic app resource.

+1. On the resource menu, under **Settings**, select **Containers**, and then select the **Environment variables** tab.

+1. On the toolbar, select **Edit and deploy**.

+1. On the **Edit a container** pane, select **Environment variables**, and then select **Add**.

+1. From the following table, add each environment variable with the specified value:

+ | Environment variable | Value |

+ |-|-|

+ | **WORKFLOWAPP_AAD_CLIENTID** | <*my-client-ID*> |

+ | **WORKFLOWAPP_AAD_OBJECTID** | <*my-object-ID*> |

+ | **WORKFLOWAPP_AAD_TENANTID** | <*my-tenant-ID*> |

+ | **WORKFLOWAPP_AAD_CLIENTSECRET** | <*my-client-secret*> |

+1. When you finish, select **Save**.

+### Store and reference client ID and client secret

+You can store the client ID and client secret values in your logic app resource as secrets and then reference those values on the **Environment variables** tab instead.

+1. On the resource menu, under **Settings**, select **Secrets**.

+1. On the toolbar, select **Add**.

+1. On the **Add secret** pane, provide the following information for each secret, and then select **Add**:

+ | Key | Value |

+ |--|-|

+ | **WORKFLOWAPP_AAD_CLIENTID** | <*my-client-ID*> |

+ | **WORKFLOWAPP_AAD_CLIENTSECRET** | <*my-client-secret*> |

+## Deploy your logic app from Visual Studio Code

+After you finish building your workflow, you can deploy your logic app to your Container Apps connected environment.

+1. In the **Explorer** window, open the shortcut menu for the workflow node, which is **my-stateful-workflow** in this example, and select **Deploy to logic app**.

+1. From the subscription list, select your Azure subscription.

+1. From the available logic apps list, select **Create new Logic App (Standard) in Azure**. Provide a globally unique logic app name that uses only lowercase alphanumeric characters or hyphens.

+ This example uses **my-logic-app-hybrid**.

+1. From the location list that appears, select the same Azure region where you have your connected environment.

+ This example uses **East US**.

+1. From the hosting plan list, select **Hybrid**.

+1. From the resource group list, select **Create new resource group**. Provide a name for your resource group.

+ This example uses **Hybrid-RG**.

+1. From the connected environment list, select your environment.

+1. Provide your previously saved values for the host name, SMB file share path, username, and password for your artifacts storage.

+1. Provide the connection string for the SQL database that you set up for runtime storage.

+ Visual Studio Code starts the deployment process for your Standard logic app.

+1. To monitor deployment status and Azure activity logs, from the **View** menu, select **Output**. In the window that opens, select **Azure**.

+After deployment completes, you can go to the Azure portal to view your logic app workflow.

+> [!NOTE]

+>

+> Several known issues exist in the portal around how you find your Standard logic app, which is created

+> as a container app in this release. Your Standard logic app is also labeled differently from Standard

+> logic apps deployed to single-tenant Azure and App Service environment v3. For more information, see

+> [Known issues and troubleshooting - Azure portal](#known-issues-portal).

+## Known issues and troubleshooting

+<a name="known-issues-portal"></a>

+### Azure portal

+- Your Standard logic app is deployed as a [Container App resource](/azure/container-apps/overview), but the type appears as **Logic App (Hybrid)**.

+- Your Standard logic app is listed in **Container Apps** resource list, not the **Logic apps** resource list.

+- Your Container Apps connected environment lists your Standard logic app as having an **App Type** named **Hybrid Logic App**.

+- To reflect changes in the designer after you save your workflow, you might have to occasionally refresh the designer.

+### Arc-enabled Kubernetes clusters

+In rare scenarios, you might notice a high memory footprint in your cluster. To prevent this issue, either scale out or add autoscale for node pools.

+### Function host isn't running

+After you deploy your Standard logic app, confirm that your app is running correctly.

+1. In the Azure portal, go to the container app resource for your logic app.

+1. On the container app menu, select **Overview**.

+1. On the **Overview** page, next to the **Application Url** field, select your container app's URL.

+ If your app is running correctly, a browser window opens and shows the following message:

+ :::image type="content" source="media/create-standard-workflows-hybrid-deployment/running-logic-app-hybrid-deployment.png" alt-text="Screenshot shows browser and logic app running as a website.":::

+ Otherwise, if your app has any failures, check that your AKS pods are running correctly. From Windows PowerShell, run the following commands:

+ ```powershell

+ az aks get-credentials {resource-group-name} --name {aks-cluster-name} --admin

+ kubectl get ns

+ kubectl get pods -n logicapps-aca-ns

+ kubectl describe pod {logic-app-pod-name} -n logicapps-aca-ns

+ ```

+ For more information, see the following documentation:

+ - [az aks get-credentials](/cli/azure/aks#az-aks-get-credentials)

+ - [Command line tool (kubetctl)](https://kubernetes.io/docs/reference/kubectl/)

+### Cluster doesn't have enough nodes

+If you ran the previous command and get a warning similar to the following example, your cluster doesn't have enough nodes for processing:

+**`Warning: FailedSchedulingΓÇ» 4m52s (x29 over 46m)ΓÇ» default-schedulerΓÇ» 0/2 nodes are available: 2 Too many pods. preemption: 0/2 nodes are available: 2 No preemption victims found for incoming pod.`**

+To increase the number of nodes, and set up autoscale, follow these steps:

+1. In the Azure portal, go to your Kubernetes service instance.

+1. On the instance menu, under **Settings**, select **Node pools**.

+1. On the **Node tools** page toolbar, select **+ Add node pool**.

+For more information, see the following documentation:

+- [Create node pools for a cluster in Azure Kubernetes Service (AKS)](/azure/aks/create-node-pools)

+- [Manage node pools for a cluster in Azure Kubernetes Service (AKS)](/azure/aks/manage-node-pools)

+- [Cluster autoscaling in Azure Kubernetes Service (AKS) overview](/azure/aks/cluster-autoscaler-overview)

+- [Use the cluster autoscaler in Azure Kubernetes Service (AKS)](/azure/aks/cluster-autoscaler?tabs=azure-cli)

+### SMB Container Storage Interface (CSI) driver not installed

+After you ran the earlier **`kubectl describe pod`** command, if the following warning appears, confirm whether the CSI driver for your SMB file share is installed correctly:

+**`Warning FailedScheduling 5m16s (x2 over 5m27s)  default-scheduler 0/14 nodes are available: pod has unbound immediate PersistentVolumeClaims. preemption: 0/14 nodes are available: 14 Preemption is not helpful for scheduling.`**

+**`Normal NotTriggerScaleUp 9m49s (x31 over 14m) cluster-autoscaler pod didn't trigger scale-up: 3 pod has unbound immediate PersistentVolumeClaims`**

+To confirm, from Windows PowerShell, run the following commands:

+```powershell

+kubectl get csidrivers

+```

+If the results list that appears doesn't include **smb.csi.k8s.io**, from a Windows command prompt, and run the following command:

+**`helm repo add csi-driver-smb`**<br>

+**`help repo update`**

+**`helm install csi-driver-smb csi-driver-smb/csi-driver-smb --namespace kube-system --version v1.15.0`**

+To check the CSI SMB Driver pods status, from the Windows command prompt, run the following command:

+**`kubectl --namespace=kube-system get pods --selector="app.kubernetes.io/name=csi-driver-smb" --watch`**

+For more information, see [Container Storage Interface (CSI) drivers on Azure Kubernetes Service (AKS)](/azure/aks/csi-storage-drivers).

+## Related content

+- [Set up requirements for Standard logic app deployment on your own infrastructure](set-up-standard-workflows-hybrid-deployment-requirements.md)

+| **Standard** | Single-tenant Azure Logic Apps and App Service Environment v3 (Windows plans only) | **EDIFACT** built-in connector and **EDIFACT** managed connector. The built-in version differs in the following ways: <br><br>- The built-in version provides only actions, but you can use any trigger that works for your scenario. <br><br>- The built-in version can directly access Azure virtual networks. You don't need an on-premises data gateway.<br><br>For more information, see the following documentation: <br><br>- [EDIFACT managed connector reference](/connectors/edifact/) <br>- [EDIFACT built-in connector operations](#edifact-built-in-operations) <br>- [EDIFACT message limits](logic-apps-limits-and-config.md#b2b-protocol-limits) |

+### EDIFACT built-in operations (Standard workflows only)

+The **EDIFACT** built-in connector has the following actions, which are similar to their counterpart **EDIFACT** managed connector actions, except where noted in [Limitations and known issues](#limitations-known-issues).

+* **EDIFACT** built-in connector

+ * This connector's actions currently support payloads up to 100 MB.

+ * The **EDIFACT Decode** action currently doesn't include the following capabilities:

+ Otherwise, the **EDIFACT Encode** and **EDIFACT decode** built-in connector actions have capabilities similar to their counterpart **EDIFACT** managed connector actions.

+#### EDIFACT built-in connector

+#### EDIFACT built-in connector

+ [!INCLUDE [logic-apps-host-plans](includes/logic-apps-host-plans.md)]

+ Title: Set up your own infrastructure for Standard logic app workflows

+description: Set up the requirements for your own managed infrastructure to deploy and host Standard logic app workflows using the hybrid deployment model.

+ms.suite: integration

+# Customer intent: As a developer, I need to set up the requirements to host and run Standard logic app workflows on infrastructure that my organization owns, which can include on-premises systems, private clouds, and public clouds.

+# Set up your own infrastructure for Standard logic apps using hybrid deployment (Preview)

+> [!NOTE]

+>

+> This capability is in preview, incurs charges for usage, and is subject to the

+> [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+Azure Logic Apps supports scenarios where you need to use your own managed infrastructure to deploy and host Standard logic app workflows by offering a hybrid deployment model. This model provides the capabilities for hosting integration solutions in partially connected environments that require local processing, storage, and network access. Standard logic app workflows are powered by the Azure Logic Apps runtime that is hosted on premises as an Azure Container Apps extension.

+The following architectural overview shows where Standard logic app workflows are hosted and run in the hybrid model. The partially connected environment includes the following resources for hosting and working with your Standard logic apps, which deploy as Azure Container Apps resources:

+- Either Azure Arc-enabled Kubernetes clusters or Azure Arc-enabled Kubernetes clusters on Azure Stack *hyperconverged infrastructure* (HCI)

+- A SQL database to locally store workflow run history, inputs, and outputs for processing

+- A Server Message Block (SMB) file share to locally store artifacts used by your workflows

+For more information, see the following documentation:

+- [What is Azure Kubernetes Service?](/azure/aks/what-is-aks)

+- [Core concepts for Azure Kubernetes Service (AKS)](/azure/aks/concepts-clusters-workloads)

+- [Azure Arc-enabled Azure Kubernetes Service (AKS) clusters](/azure/azure-arc/kubernetes/overview)

+- [Azure Arc-enabled Kubernetes clusters on Azure Stack hyperconverged infrastructure (HCI)](/azure-stack/hci/overview)

+- [Custom locations for Azure Arc-enabled Kubernetes clusters](/azure/azure-arc/platform/conceptual-custom-locations)

+- [What is Azure Container Apps?](../container-apps/overview.md)

+- [Azure Container Apps on Azure Arc](../container-apps/azure-arc-overview.md)

+This how-to guide shows how to set up the necessary on-premises resources in your infrastructure so that you can create, deploy, and host a Standard logic app workflow using the hybrid deployment model.

+## Limitations

+- Hybrid deployment is currently available and supported only for Azure Arc-enabled Azure Kubernetes Service (AKS) clusters and Azure Arc-enabled Kubernetes clusters on Azure Stack HCI.

+## Prerequisites

+- An Azure account and subscription. If you don't have a subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Basic understanding about [core AKS concepts](/azure/aks/concepts-clusters-workloads)

+- [Technical requirements for working with Azure CLI](/azure/aks/learn/quick-kubernetes-deploy-cli#before-you-begin)

+- [Technical requirements for Azure Container Apps on Azure Arc-enabled Kubernetes](/azure/container-apps/azure-arc-overview#prerequisites), including access to a public or private container registry, such as the [Azure Container Registry](/azure/container-registry/).

+## Create a Kubernetes cluster

+Before you can deploy your Standard logic app as on-premises resource to an Azure Arc-enabled Kubernetes cluster in an Azure Container Apps connected environment, you first need a [Kubernetes cluster](/azure/aks/core-aks-concepts#cluster-components). You'll later connect this cluster to Azure Arc so that you have an [Azure Arc-enabled Kubernetes cluster](/azure/azure-arc/kubernetes/overview).

+Your Kubernetes cluster requires inbound and outbound connectivity with the [SQL database that you later create as the storage provider](#create-storage-provider) and with the [Server Message Block file share that you later create for artifacts storage](#set-up-smb-file-share). These resources must exist within the same network.

+> [!NOTE]

+>

+> You can also create a [Kubernetes cluster on Azure Stack HCI infrastructure](/azure-stack/hci/overview)

+> and apply the steps in this how-to guide to connect your cluster to Azure Arc and to set up your

+> connected environment. For more information about Azure Stack HCI, see the following resources:

+>

+> - [About Azure Stack HCI](/azure-stack/hci/deploy/deployment-introduction)

+> - [Deployment prerequisites for Azure Stack HCI](/azure-stack/hci/deploy/deployment-prerequisites)

+> - [Create Kubernetes clusters on Azure Stack HCI using Azure CLI](/azure/aks/hybrid/aks-create-clusters-cli)

+1. Set the following environment variables for the Kubernetes cluster that you want to create:

+ ```azurecli

+ SUBSCRIPTION="<Azure-subscription-ID>"

+ AKS_CLUSTER_GROUP_NAME="<aks-cluster-resource-group-name>"

+ AKS_NAME="<aks-cluster-name>"

+ LOCATION="eastus"

+ ```

+ | Parameter | Required | Value | Description |

+ |--|-|-|-|

+ | **SUBSCRIPTION** | Yes | <*Azure-subscription-ID*> | The ID for your Azure subscription |

+ | **AKS_CLUSTER_GROUP_NAME** | Yes | <*aks-cluster-resource-group-name*> | The name for the Azure resource group to use with your Kubernetes cluster. This name must be unique across regions and can contain only letters, numbers, hyphens (**-**), underscores (**_**), parentheses (**()**), and periods (**.**). <br><br>This example uses **Hybrid-RG**. |

+ | **AKS_NAME** | Yes | <*aks-cluster-name*> | The name for your Kubernetes cluster. |

+ | **LOCATION** | Yes | <*Azure-region*> | An Azure region that [supports Azure container apps on Azure Arc-enabled Kubernetes](../container-apps/azure-arc-overview.md#public-preview-limitations). <br><br>This example uses **eastus**. |

+1. Run the following commands either by using the Bash environment in [Azure Cloud Shell](/azure/cloud-shell/overview) or locally using [Azure CLI installed on your computer](/cli/azure/install-azure-cli):

+ > [!NOTE]

+ >

+ > Make sure to change the **max-count** and **min-count** node values based on your load requirements.

+ ```azurecli

+ az login

+ az account set --subscription $SUBSCRIPTION

+ az provider register --namespace Microsoft.KubernetesConfiguration --wait

+ az extension add --name k8s-extension --upgrade --yes

+ az group create

+ --name $AKS_CLUSTER_GROUP_NAME

+ --location $LOCATION

+ az aks create \

+ --resource-group $AKS_CLUSTER_GROUP_NAME \

+ --name $AKS_NAME \

+ --enable-aad \

+ --generate-ssh-keys \

+ --enable-cluster-autoscaler \

+ --max-count 6 \

+ --min-count 1

+ ```

+ | Parameter | Required | Value | Description |

+ |--|-|-|-|

+ | **`max count`** | No | <*max-nodes-value*> | The maximum number of nodes to use for the autoscaler when you include the **`enable-cluster-autoscaler`** option. This value ranges from **1** to **1000**. |

+ | **`min count`** | No | <*min-nodes-value*> | The minimum number of nodes to use for the autoscaler when you include the **`enable-cluster-autoscaler`** option. This value ranges from **1** to **1000**. |

+ For more information, see the following resources:

+ - [Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using Azure CLI](/azure/aks/learn/quick-kubernetes-deploy-cli)

+ - [**az account set**](/cli/azure/account#az-account-set)

+ - [**az group create**](/cli/azure/group#az-group-create)

+ - [**az aks create**](/cli/azure/aks#az-aks-create)

+## Connect Kubernetes cluster to Azure Arc

+To create your Azure Arc-enabled Kubernetes cluster, connect your Kubernetes cluster to Azure Arc.

+> [!NOTE]

+>

+> You can find the steps in this section and onwards through to creating your connected

+> environment in a script named **EnvironmentSetup.ps1**, which you can find in the

+> [GitHub repo named **Azure/logicapps**](https://github.com/Azure/logicapps/tree/master/scripts/hybrid).

+> You can modify and use this script to meet your requirements and scenarios.

+>

+> The script is unsigned, so before you run the script, run the following Azure

+> PowerShell command as an administrator to set the execution policy:

+>

+> `Set-ExecutionPolicy -ExecutionPolicy Unrestricted`

+>

+> For more information, see [Set-ExecutionPolicy](/powershell/module/microsoft.powershell.security/set-executionpolicy).

+1. Install the following Azure CLI extensions:

+ ```azurecli

+ az extension add --name connectedk8s --upgrade --yes

+ az extension add --name k8s-extension --upgrade --yes

+ az extension add --name customlocation --upgrade --yes

+ az extension add --name containerapp --upgrade --yes

+ ```

+ For more information, see the following resources:

+ - [Install Azure CLI extensions](/azure/container-apps/azure-arc-enable-cluster?tabs=azure-cli#setup)

+ - [az extension add](/cli/azure/extension#az-extension-add)

+1. Register the following required namespaces:

+ ```azurecli

+ az provider register --namespace Microsoft.ExtendedLocation --wait

+ az provider register --namespace Microsoft.KubernetesConfiguration --wait

+ az provider register --namespace Microsoft.App --wait

+ az provider register --namespace Microsoft.OperationalInsights --wait

+ ```

+ For more information, see the following resources:

+ - [Register the required namespaces](/azure/container-apps/azure-arc-enable-cluster?tabs=azure-cli#setup)

+ - [az provider register](/cli/azure/provider#az-provider-register)

+1. Install the Kubernetes command line interface (CLI) named **kubectl**:

+ ```azurecli

+ Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

+

+ choco install kubernetes-cli -y

+ ```

+ For more information, see the following resources:

+ - [Command line tool (kubectl)](https://kubernetes.io/docs/reference/kubectl/kubectl/)

+ - [Set-ExecutionPolicy](/powershell/module/microsoft.powershell.security/set-executionpolicy)

+ - [choco install kubernetes-cli](https://docs.chocolatey.org/en-us/choco/commands/install/)

+1. Install the Kubernetes package manager named **Helm**:

+ ```azurecli

+ choco install kubernetes-helm

+ ```

+ For more information, see the following resources:

+ - [Helm](https://helm.sh/)

+ - [choco install kubernetes-helm](https://community.chocolatey.org/packages/kubernetes-helm)

+1. Install the SMB driver using the following Helm commands:

+ 1. Add the specified chart repository, get the latest information for available charts, and install the specified chart archive.

+ ```azurecli

+ helm repo add csi-driver-smb https://raw.githubusercontent.com/kubernetes-csi/csi-driver-smb/master/charts

+ helm repo update

+ helm install csi-driver-smb csi-driver-smb/csi-driver-smb --namespace kube-system --version v1.15.0

+ ```

+ For more information, see the following resources:

+ - [helm repo add](https://helm.sh/docs/helm/helm_repo_add/)

+ - [helm repo update](https://helm.sh/docs/helm/helm_repo_update/)

+ - [helm install](https://helm.sh/docs/helm/helm_install/)

+ 1. Confirm that the SMB driver is installed by running the following **kubectl** command, which should list **smb.csi.k8s.io**:

+ ```azurecli

+ kubectl get csidriver

+ ```

+ For more information, see [kubectl get](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_get/).

+## Connect your Kubernetes cluster to Azure Arc

+1. Test your connection to your cluster by getting the [**kubeconfig** file](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/):

+ ```azurecli

+ az aks get-credentials \

+ --resource-group $AKS_CLUSTER_GROUP_NAME \

+ --name $AKS_NAME \

+ --admin

+ kubectl get ns

+ ```

+ By default, the **kubeconfig** file is saved to the path, **~/.kube/config**. This command applies to our example Kubernetes cluster and differs for other kinds of Kubernetes clusters.

+ For more information, see the following resources:

+ - [Create connected cluster](../container-apps/azure-arc-enable-cluster.md?tabs=azure-cli#create-a-connected-cluster)

+ - [az aks get-credentials](/cli/azure/aks#az-aks-get-credentials)

+ - [kubectl get](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_get/)

+1. Based on your Kubernetes cluster deployment, set the following environment variable to provide a name to use for the Azure resource group that contains your Azure Arc-enabled cluster and resources:

+ ```azurecli

+ GROUP_NAME="<Azure-Arc-cluster-resource-group-name>"

+ ```

+ | Parameter | Required | Value | Description |

+ |--|-|-|-|

+ | **GROUP_NAME** | Yes | <*Azure-Arc-cluster-resource-group-name*> | The name for the Azure resource group to use with your Azure Arc-enabled cluster and other resources, such as your Azure Container Apps extension, custom location, and Azure Container Apps connected environment. This name must be unique across regions and can contain only letters, numbers, hyphens (**-**), underscores (**_**), parentheses (**()**), and periods (**.**). <br><br>This example uses **Hybrid-Arc-RG**. |

+1. Create the Azure resource group for your Azure Arc-enabled cluster and resources:

+ ```azurecli

+ az group create \

+ --name $GROUP_NAME \

+ --location $LOCATION

+ ```

+ For more information, see the following resources:

+ - [Create connected cluster](../container-apps/azure-arc-enable-cluster.md?tabs=azure-cli#create-a-connected-cluster)

+ - [az group create](/cli/azure/group#az-group-create)

+1. Set the following environment variable to provide a name for your Azure Arc-enabled Kubernetes cluster:

+ ```azurecli

+ CONNECTED_CLUSTER_NAME="$GROUP_NAME-cluster"

+ ```

+ | Parameter | Required | Value | Description |

+ |--|-|-|-|

+ | **CONNECTED_CLUSTER_NAME** | Yes | <*Azure-Arc-cluster-resource-group-name*>-**cluster** | The name to use for your Azure Arc-enabled cluster. This name must be unique across regions and can contain only letters, numbers, hyphens (**-**), underscores (**_**), parentheses (**()**), and periods (**.**). <br><br>This example uses **Hybrid-Arc-RG-cluster**. |

+1. Connect your previously created Kubernetes cluster to Azure Arc:

+ ```azurecli

+ az connectedk8s connect \

+ --resource-group $GROUP_NAME \

+ --name $CONNECTED_CLUSTER_NAME

+ ```

+ For more information, see the following resources:

+ - [Create connected cluster](../container-apps/azure-arc-enable-cluster.md?tabs=azure-cli#create-a-connected-cluster)

+ - [az connectedk8s connect](/cli/azure/connectedk8s?#az-connectedk8s-connect)

+1. Validate the connection between Azure Arc and your Kubernetes cluster:

+ ```azurecli

+ az connectedk8s show \

+ --resource-group $GROUP_NAME \

+ --name $CONNECTED_CLUSTER_NAME

+ ```

+ If the output shows that the **provisioningState** property value isn't set to **Succeeded**, run the command again after one minute.

+ For more information, see the following resources:

+ - [Create connected cluster](../container-apps/azure-arc-enable-cluster.md?tabs=azure-cli#create-a-connected-cluster)

+ - [az connectedk8s show](/cli/azure/connectedk8s?#az-connectedk8s-show)

+## Create an Azure Log Analytics workspace

+You can create an optional, but recommended, Azure Log Analytics workspace, which provides access to logs for apps that run in your Azure Arc-enabled Kubernetes cluster.

+1. Set the following environment variable to provide a name your Log Analytics workspace:

+ ```azurecli

+ WORKSPACE_NAME="$GROUP_NAME-workspace"

+ ```

+ | Parameter | Required | Value | Description |

+ |--|-|-|-|

+ | **WORKSPACE_NAME** | Yes | <*Azure-Arc-cluster-resource-group-name*>**-workspace** | The name to use for your Log Analytics workspace. This name must be unique within your resource group. <br><br>This example uses **Hybrid-Arc-RG-workspace**. |

+1. Create the Log Analytics workspace:

+ ```azurecli

+ az monitor log-analytics workspace create \

+ --resource-group $GROUP_NAME \

+ --workspace-name $WORKSPACE_NAME

+ ```

+ For more information, see the following resources:

+ - [Create a Log Analytics workspace](/azure/container-apps/azure-arc-enable-cluster?tabs=azure-cli#create-a-log-analytics-workspace)

+ - [az monitor log-analytics](/cli/azure/monitor/log-analytics)

+1. Get the base64-encoded ID and shared key for your Log Analytics workspace. You need these values for a later step.

+ ```azurecli

+ LOG_ANALYTICS_WORKSPACE_ID=$(az monitor log-analytics workspace show \

+ --resource-group $GROUP_NAME \

+ --workspace-name $WORKSPACE_NAME \

+ --query customerId \

+ --output tsv)

+ LOG_ANALYTICS_WORKSPACE_ID_ENC=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($LOG_ANALYTICS_WORKSPACE_ID))

+ LOG_ANALYTICS_KEY=$(az monitor log-analytics workspace get-shared-keys \

+ --resource-group $GROUP_NAME \

+ --workspace-name $WORKSPACE_NAME \

+ --query primarySharedKey \

+ --output tsv)

+ LOG_ANALYTICS_KEY_ENC=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($LOG_ANALYTICS_KEY))

+ ```

+ | Parameter | Required | Value | Description |

+ |--|-|-|-|

+ | **LOG_ANALYTICS_WORKSPACE_ID** | Yes | The ID for your Log Analytics workspace. |

+ | **LOG_ANALYTICS_WORKSPACE_ID_ENC** | Yes | The base64-encoded ID for your Log Analytics workspace. |

+ | **LOG_ANALYTICS_KEY** | Yes | The shared key for your Log Analytics workspace. |

+ | **LOG_ANALYTICS_ENC** | Yes | The base64-encoded shared key for your Log Analytics workspace. |

+ For more information, see the following resources:

+ - [Create a Log Analytics workspace](/azure/container-apps/azure-arc-enable-cluster?tabs=azure-cli#create-a-log-analytics-workspace)

+ - [az monitor log-analytics](/cli/azure/monitor/log-analytics)

+## Create and install the Azure Container Apps extension

+Now, create and install the Azure Container Apps extension with your Azure Arc-enabled Kubernetes cluster as an on-premises resource.

+> [!IMPORTANT]

+>

+> If you want to deploy to AKS on Azure Stack HCI, before you create and install the Azure Container Apps extension,

+> make sure that you [set up **HAProxy** or a custom load balancer](/azure/aks/hybrid/configure-load-balancer).

+1. Set the following environment variables to the following values:

+

+ ```azurecli

+ EXTENSION_NAME="logicapps-aca-extension"

+ NAMESPACE="logicapps-aca-ns"

+ CONNECTED_ENVIRONMENT_NAME="<connected-environment-name>"

+ ```

+ | Parameter | Required | Value | Description |

+ |--|-|-|-|

+ | **EXTENSION_NAME** | Yes | **logicapps-aca-extension** | The name for the Azure Container Apps extension. |

+ | **NAMESPACE** | Yes | **logicapps-aca-ns** | The cluster namespace where you want to provision resources. |

+ | **CONNECTED_ENVIRONMENT_NAME** | Yes | <*connected-environment-name*> | A unique name to use for the Azure Container Apps connected environment. This name becomes part of the domain name for the Standard logic app that you create, deploy, and host in the Azure Container Apps connected environment. |

+1. Create and install the extension with Log Analytics enabled for your Azure Arc-enabled Kubernetes cluster. You can't later add Log Analytics to the extension.

+ ```azurecli

+ az k8s-extension create \

+ --resource-group $GROUP_NAME \

+ --name $EXTENSION_NAME \

+ --cluster-type connectedClusters \

+ --cluster-name $CONNECTED_CLUSTER_NAME \

+ --extension-type 'Microsoft.App.Environment' \

+ --release-train stable \

+ --auto-upgrade-minor-version true \

+ --scope cluster \

+ --release-namespace $NAMESPACE \

+ --configuration-settings "Microsoft.CustomLocation.ServiceAccount=default" \

+ --configuration-settings "appsNamespace=${NAMESPACE}" \

+ --configuration-settings "keda.enabled=true" \

+ --configuration-settings "keda.logicAppsScaler.enabled=true" \

+ --configuration-settings "keda.logicAppsScaler.replicaCount=1" \

+ --configuration-settings "containerAppController.api.functionsServerEnabled=true" \

+ --configuration-settings "envoy.externalServiceAzureILB=false" \

+ --configuration-settings "functionsProxyApiConfig.enabled=true" \

+ --configuration-settings "clusterName=${CONNECTED_ENVIRONMENT_NAME}" \

+ --configuration-settings "envoy.annotations.service.beta.kubernetes.io/azure-load-balancer-resource-group=${GROUP_NAME}" \

+ --configuration-settings "logProcessor.appLogs.destination=log-analytics" \

+ --configuration-protected-settings "logProcessor.appLogs.logAnalyticsConfig.customerId=${LOG_ANALYTICS_WORKSPACE_ID_ENC}" \

+ --configuration-protected-settings "logProcessor.appLogs.logAnalyticsConfig.sharedKey=${LOG_ANALYTICS_KEY_ENC}"

+ ```

+ | Parameter | Required | Description |

+ |--|-|-|

+ | **Microsoft.CustomLocation.ServiceAccount** | Yes | The service account created for the custom location. <br><br>**Recommendation**: Set the value to **default**. |

+ | **appsNamespace** | Yes | The namespace to use for creating app definitions and revisions. This value must match the release namespace for the Azure Container Apps extension. |

+ | **clusterName** | Yes | The name for the Azure Container Apps extension Kubernetes environment to create for the extension. |

+ | **keda.enabled** | Yes | Enable [Kubernetes Event-driven Autoscaling (KEDA)](https://keda.sh/). This value is required and must be set to **true**. |

+ | **keda.logicAppsScaler.enabled** | Yes | Enable the Azure Logic Apps scaler in KEDA. This value is required and must be set to **true**. |

+ | **keda.logicAppsScaler.replicaCount** | Yes | The initial number of logic app scalers to start. The default value set to **1**. This value scales up or scales down to **0**, if no logic apps exist in the environment. |

+ | **containerAppController.api.functionsServerEnabled** | Yes | Enable the service responsible for converting logic app workflow triggers to KEDA-scaled objects. This value is required and must be set to **true**. |

+ | **envoy.externalServiceAzureILB** | Yes | Determines whether the envoy acts as an internal load balancer or a public load balancer. <br><br>- **true**: The envoy acts as an internal load balancer. The Azure Logic Apps runtime is accessible only within private network. <br><br>- **false**: The envoy acts as a public load balancer. The Azure Logic Apps runtime is accessible over the public network. |

+ | **functionsProxyApiConfig.enabled** | Yes | Enable the proxy service that facilitates API access to the Azure Logic Apps runtime from the Azure portal. This value is required and must be set to **true**. |

+ | **envoy.annotations.service.beta.kubernetes.io/azure-load-balancer-resource-group** | Yes, but only when the underlying cluster is Azure Kubernetes Service. | The name for the resource group where the Kubernetes cluster exists. |

+ | **logProcessor.appLogs.destination** | No | The destination to use for application logs. The value is either **log-analytics** or **none**, which disables logging. |

+ | **logProcessor.appLogs.logAnalyticsConfig.customerId** | Yes, but only when **logProcessor.appLogs.destination** is set to **log-analytics**. | The base64-encoded ID for your Log Analytics workspace. Make sure to configure this parameter as a protected setting. |

+ | **logProcessor.appLogs.logAnalyticsConfig.sharedKey** | Yes, but only when **logProcessor.appLogs.destination** is set to **log-analytics**. | The base64-encoded shared key for your Log Analytics workspace. Make sure to configure this parameter as a protected setting. |

+ For more information, see the following resources:

+ - [Install the Azure Container Apps extension](/azure/container-apps/azure-arc-enable-cluster?tabs=azure-cli#install-the-container-apps-extension)

+ - [az k8s-extension create](/cli/azure/k8s-extension?#az-k8s-extension-create)

+1. Save theΓÇ»**ID** value for the Azure Container Apps extension to use later:

+ ```azurecli

+ EXTENSION_ID=$(az k8s-extension show \

+ --cluster-type connectedClusters \

+ --cluster-name $CONNECTED_CLUSTER_NAME \

+ --resource-group $GROUP_NAME \

+ --name $EXTENSION_NAME \

+ --query id \

+ --output tsv)

+ ```

+ | Parameter | Required | Value | Description |

+ |--|-|-|-|

+ | **EXTENSION_ID** | Yes | <*extension-ID*> | The ID for the Azure Container Apps extension. |

+ For more information, see the following resources:

+ - [Install the Azure Container Apps extension](/azure/container-apps/azure-arc-enable-cluster?tabs=azure-cli#install-the-container-apps-extension)

+ - [az k8s-extension show](/cli/azure/k8s-extension?#az-k8s-extension-show)

+1. Before you continue, wait for the extension to fully install. To have your terminal session wait until the installation completes, run the following command:

+ ```azurecli

+ az resource wait \

+ --ids $EXTENSION_ID \

+ --custom "properties.provisioningState!='Pending'" \

+ --api-version "2020-07-01-preview"

+ ```

+ For more information, see the following resources:

+ - [Install the Azure Container Apps extension](/azure/container-apps/azure-arc-enable-cluster?tabs=azure-cli#install-the-container-apps-extension)

+ - [az resource wait](/cli/azure/resource?#az-resource-wait)

+## Create your custom location

+1. Set the following environment variables to the specified values:

+ ```azurecli

+ CUSTOM_LOCATION_NAME="my-custom-location"

+ CONNECTED_CLUSTER_ID=$(az connectedk8s show \

+ --resource-group $GROUP_NAME \

+ --name $CONNECTED_CLUSTER_NAME \

+ --query id \

+ --output tsv)

+ ```

+ | Parameter | Required | Value | Description |

+ |--|-|-|-|

+ | **CUSTOM_LOCATION_NAME** | Yes | **my-custom-location** | The name to use for your custom location. |

+ | **CONNECTED_CLUSTER_ID** | Yes | <*Azure-Arc-cluster-ID*> | The ID for the Azure Arc-enabled Kubernetes cluster. |

+ For more information, see the following resources:

+ - [Create a custom location](/azure/container-apps/azure-arc-enable-cluster?tabs=azure-cli#create-a-custom-location)

+ - [az k8s-extension show](/cli/azure/k8s-extension?#az-k8s-extension-show)

+1. Create the custom location:

+ ```azurecli

+ az customlocation create \

+ --resource-group $GROUP_NAME \

+ --name $CUSTOM_LOCATION_NAME \

+ --host-resource-id $CONNECTED_CLUSTER_ID \

+ --namespace $NAMESPACE \

+ --cluster-extension-ids $EXTENSION_ID \

+ --location $LOCATION

+ ```

+ > [!NOTE]

+ >

+ > If you experience issues creating a custom location on your cluster, you might have to

+ > [enable the custom location feature on your cluster](/azure/azure-arc/kubernetes/custom-locations#enable-custom-locations-on-your-cluster).

+ > This step is required if you signed in to Azure CLI using a service principal, or if

+ > you signed in as a Microsoft Entra user with restricted permissions on the cluster resource.

+ For more information, see the following resources:

+ - [Create a custom location](/azure/container-apps/azure-arc-enable-cluster?tabs=azure-cli#create-a-custom-location)

+ - [az customlocation create](/cli/azure/customlocation#az-customlocation-create)

+1. Validate that the custom location is successfully created:

+ ```azurecli

+ az customlocation show \

+ --resource-group $GROUP_NAME \

+ --name $CUSTOM_LOCATION_NAME

+ ```

+ If the output shows that the **provisioningState** property value isn't set to **Succeeded**, run the command again after one minute.

+1. Save the custom location ID for use in a later step:

+ ```azurecli

+ CUSTOM_LOCATION_ID=$(az customlocation show \

+ --resource-group $GROUP_NAME \

+ --name $CUSTOM_LOCATION_NAME \

+ --query id \

+ --output tsv)

+ ```

+ | Parameter | Required | Value | Description |

+ |--|-|-|-|

+ | **CUSTOM_LOCATION_ID** | Yes | <*my-custom-location-ID*> | The ID for your custom location. |

+ For more information, see the following resources:

+ - [Create a custom location](/azure/container-apps/azure-arc-enable-cluster?tabs=azure-cli#create-a-custom-location)

+ - [az customlocation show](/cli/azure/customlocation#az-customlocation-show)

+## Create the Azure Container Apps connected environment

+Now, create your Azure Container Apps connected environment for your Standard logic app to use.

+```azurecli

+az containerapp connected-env create \

+ --resource-group $GROUP_NAME \

+ --name $CONNECTED_ENVIRONMENT_NAME \

+ --custom-location $CUSTOM_LOCATION_ID \

+ --location $LOCATION

+```

+For more information, see the following resources:

+- [Create a custom location](/azure/container-apps/azure-arc-enable-cluster?tabs=azure-cli#create-the-azure-container-apps-connected-environment)

+- [az containerapp connected-env create](/cli/azure/containerapp#az-containerapp-create)

+<a name="create-storage-provider"></a>

+## Create SQL Server storage provider

+Standard logic app workflows in the hybrid deployment model use a SQL database as the storage provider for the data used by workflows and the Azure Logic Apps runtime, for example, workflow run history, inputs, outputs, and so on.

+Your SQL database requires inbound and outbound connectivity with your Kubernetes cluster, so these resources must exist in the same network.

+1. Set up any of the following SQL Server editions:

+ - SQL Server on premises

+ - [Azure SQL Database](/azure/azure-sql/database/sql-database-paas-overview)

+ - [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview)

+ - [SQL Server enabled by Azure Arc](/sql/sql-server/azure-arc/overview)

+ For more information, see [Set up SQL database storage for Standard logic app workflows](/azure/logic-apps/set-up-sql-db-storage-single-tenant-standard-workflows).

+1. Confirm that your SQL database is in the same network as your Arc-enabled Kubernetes cluster and SMB file share.

+1. Find and save the connection string for the SQL database that you created.

+<a name="set-up-smb-file-share"></a>

+## Set up SMB file share for artifacts storage

+To store artifacts such as maps, schemas, and assemblies for your container app resource, you need to have a file share that uses the [Server Message Block (SMB) protocol](/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview).

+- You need administrator access to set up your SMB file share.

+- Your SMB file share must exist in the same network as your Kubernetes cluster and SQL database.

+- Your SMB file share requires inbound and outbound connectivity with your Kubernetes cluster. If you enabled Azure virtual network restrictions, make sure that your file share exists in the same virtual network as your Kubernetes cluster or in a peered virtual network.

+- To deploy your logic app using Visual Studio Code, make sure that the local computer with Visual Studio Code can access the file share.

+### Set up your SMB file share on Windows

+Make sure that your SMB file share exists in the same virtual network as the cluster where you mount your file share.

+1. In Windows, go to the folder that you want to share, open the shortcut menu, select **Properties**.

+1. On the **Sharing** tab, select **Share**.

+1. In the box that opens, select a person who you want to have access to the file share.

+1. Select **Share**, and copy the link for the network path.

+ If your local computer isn't connected to a domain, replace the computer name in the network path with the IP address.

+1. Save the IP address to use later as the host name.

+### Set up Azure Files as your SMB file share

+Alternatively, for testing purposes, you can use [Azure Files as an SMB file share](/azure/storage/files/files-smb-protocol). Make sure that your SMB file share exists in the same virtual network as the cluster where you mount your file share.

+1. In the [Azure portal](https://portal.azure.com), [create an Azure storage account](/azure/storage/files/storage-how-to-create-file-share?tabs=azure-portal#create-a-storage-account).

+1. From the storage account menu, under **Data storage**, select **File shares**.

+1. From the **File shares** page toolbar, select **+ File share**, and provide the required information for your SMB file share.

+1. After deployment completes, select **Go to resource**.

+1. On the file share menu, select **Overview**, if not selected.

+1. On the **Overview** page toolbar, select **Connect**. On the **Connect** pane, select **Show script**.

+1. Copy the following values and save them somewhere safe for later use:

+ - File share's host name, for example, **mystorage.file.core.windows.net**

+ - File share path

+ - Username without **`localhost\`**

+ - Password

+1. On the **Overview** page toolbar, select **+ Add directory**, and provide a name to use for the directory. Save this name to use later.

+You need these saved values to provide your SMB file share information when you deploy your container app resource.

+For more information, see [Create an SMB Azure file share](/azure/storage/files/storage-how-to-create-file-share?tabs=azure-portal).

+## Confirm SMB file share connection

+To test the connection between your Arc-enabled Kubernetes cluster and your SMB file share, and to check that your file share is correctly set up, follow these steps:

+- If your SMB file share isn't on the same cluster, confirm that the ping operation works from your Arc-enabled Kubernetes cluster to the virtual machine that has your SMB file share. To check that the ping operation works, follow these steps:

+ 1. In your Arc-enabled Kubernetes cluster, create a test [pod](/azure/aks/core-aks-concepts#pods) that runs any Linux image, such as BusyBox or Ubuntu.

+ 1. Go to the container in your pod, and install the **iputils-ping** package by running the following Linux commands:

+ ```

+ apt-get update

+ apt-get install iputils-ping

+ ```

+- To confirm that your SMB file share is correctly set up, follow these steps:

+ 1. In your test pod with the same Linux image, create a folder that has the path named **mnt/smb**.

+ 1. Go to the root or home directory that contains the **mnt** folder.

+ 1. Run the following command:

+ **`- mount -t cifs //{ip-address-smb-computer}/{file-share-name}/mnt/smb -o username={user-name}, password={password}`**

+- To confirm that artifacts correctly upload, connect to the SMB file share path, and check whether artifact files exist in the correct folder that you specify during deployment.

+## Next steps

+[Create Standard logic app workflows for hybrid deployment on your own infrastructure](create-standard-workflows-hybrid-deployment.md)

+ [!INCLUDE [logic-apps-host-plans](includes/logic-apps-host-plans.md)]

+ [!INCLUDE [logic-apps-host-plans](includes/logic-apps-host-plans.md)]

+ [!INCLUDE [logic-apps-host-plans](includes/logic-apps-host-plans.md)]

+Linux server access | A sudo user account with permissions to execute ls and netstat commands. If you're providing a sudo user account, ensure that you enable **NOPASSWD** for the account to run the required commands without prompting for a password every time a sudo command is invoked. <br /><br /> Alternatively, you can create a user account that has the CAP_DAC_READ_SEARCH and CAP_SYS_PTRACE permissions on /bin/netstat and /bin/ls files set by using the following commands:<br /><code>sudo setcap CAP_DAC_READ_SEARCH,CAP_SYS_PTRACE=ep /bin/ls<br /> sudo setcap CAP_DAC_READ_SEARCH,CAP_SYS_PTRACE=ep /bin/netstat</code>|

+|Port access | The Azure Migrate appliance must be able to connect to TCP port 443 on ESXi hosts running the servers that have dependencies you want to discover. The server running vCenter Server returns an ESXi host connection to download the file containing the dependency data.

+> [!Note]

+> In some recent Linux OS versions, the netstat command was replaced by the `ss` command; have that in mind when preparing the servers.

+This example uses the minimum Graylog setup (i.e. a single instance of a Graylog), but Graylog can be architected to scale across resources depending on your system and production needs. For more information on architectural considerations or a deep architectural guide, see Graylog's [documentation](https://archivedocs.graylog.org/en/3.2/pages/architecture.html) and [architectural guide](https://www.slideshare.net/Graylog/graylog-engineering-design-your-architecture).

+ The Logstash config file provided is composed of three parts: the input, filter, and output. The input section designates the input source of the logs that Logstash will process - in this case, you're going to use an Azure blog input plugin (installed in the next steps) that allows us to access the network security group flow log JSON files stored in blob storage.

+2. To navigate to the configuration page, select the **System** drop-down menu in the top navigation bar to the right, and then select **Inputs**.

+After allowing some time for your Graylog server to collect messages, you're able to search through the messages. To check the messages being sent to your Graylog server, from the **Inputs** configuration page select the "**Show received messages**" button of the GELF UDP input you created. You're directed to a screen that looks similar to the following picture:

+Select the blue **%{Message}** link to expand the message to show the parameters of the flow tuple.

+By default, all message fields are included in the search if you don't select a specific message field to search for. If you want to search for specific messages (i.e. - flow tuples from a specific source IP) you can use the Graylog search query language as [documented](https://archivedocs.graylog.org/en/3.2/pages/queries.html)

+2. From there, select the green **Create dashboard** button and fill out the short form with the title and description of your dashboard. Hit the

+You can select the title of the dashboard to see it, but right now it's empty, since we haven't added any widgets. An easy and useful type widget to add to

+3. Select any desired parameter in which to visualize (in this example, the IP source is selected). To show the list of possible widgets, select the blue drop-down arrow to the left of the field, then select **Quick values** to generate the widget. You should see something similar to the following picture:

+## Next step

+> [!div class="nextstepaction"]

+> [Visualize network security group flows logs with Power BI](network-watcher-visualize-nsg-flow-logs-power-bi.md)

+Be sure to read the [Azure Notification Hubs overview](notification-hubs-push-notification-overview.md) if you're not familiar with the service.

+ The certificate is downloaded and saved in your **Downloads** folder:

+5. Double-click the downloaded push certificate **aps\_development.cer**. This action installs the new certificate in the Keychain.

+In this tutorial, you created and configured a notification hub in Azure and configured it to allow notifications to be sent to your application through Apple Push Notification Service (APNS). Next, we'll create a sample iOS application and integrate the Azure Notifications Hubs SDK so that it can receive push notifications sent through the Azure portal. Advance to the following tutorial based on your language of choice:

+The application name and identifier are also available in the **Certificates, Identifiers & Profiles** page in the developer account.

+There might be situations where a user needs to investigate and resolve issues with an on-premises bare metal machine. Azure Operator Nexus provides a prescribed set of data extract commands via `az networkcloud baremetalmachine run-data-extract`. These commands enable users to get diagnostic data from a bare metal machine.

+The command produces an output file containing the results of the data extract. Users should configure the Cluster resource with a storage account and identity that has access to the storage account to receive the output. There's a deprecated method of sending data to the Cluster Manager storage account if a storage account hasn't been provided on the Cluster. The Cluster Manager's storage account will be disabled in a future release as using a separate storage account is more secure.

+- This article assumes that the Azure command line interface and the `networkcloud` command line interface extension are installed. For more information, see [How to Install CLI Extensions](./howto-install-cli-extensions.md).

+- The target bare metal machine is on and ready.

+## Create and configure storage resources (customer-managed storage)

+1. Create a storage account, or identify an existing storage account that you want to use. See [Create an Azure storage account](/azure/storage/common/storage-account-create?tabs=azure-portal).

+2. In the storage account, create a blob storage container. See [Create a container](/azure/storage/blobs/storage-quickstart-blobs-portal#create-a-container).

+3. Assign the "Storage Blob Data Contributor" role to users and managed identities which need access to the run-data-extract output. See [Assign an Azure role for access to blob data](/azure/storage/blobs/assign-azure-role-data-access?tabs=portal). The role must also be assigned to either a user-assigned managed identity or the cluster's own system-assigned managed identity. For more information on managed identities, see [Managed identities for Azure resources](/entra/identity/managed-identities-azure-resources/overview).

+When assigning a role to the cluster's system-assigned identity, make sure you select the resource with the type "Cluster (Operator Nexus)."

+## Configure the cluster to use a user-assigned managed identity for storage access

+Use this command to configure the cluster for a user-assigned identity:

+```azurecli-interactive

+az networkcloud cluster update --name "<cluster-name>" \

+ --resource-group "<cluster-resource-group>" \

+ --mi-user-assigned "<user-assigned-identity-resource-id>" \

+ --command-output-settings identity-type="UserAssignedIdentity" \

+ identity-resource-id="<user-assigned-identity-resource-id>" \

+ container-url="<container-url>" \

+ --subscription "<subscription>"

+```

+The identity resource ID can be found by clicking "JSON view" on the identity resource; the ID is at the top of the panel that appears. The container URL can be found on the Settings -> Properties tab of the container resource.

+## Configure the cluster to use a system-assigned managed identity for storage access

+Use this command to configure the cluster to use its own system-assigned identity:

+```azurecli-interactive

+az networkcloud cluster update --name "<cluster-name>" \

+ --resource-group "<cluster-resource-group>" \

+ --mi-system-assigned true \

+ --command-output-settings identity-type="SystemAssignedIdentity" \

+ container-url="<container-url>" \

+ --subscription "<subscription>"

+```

+To change the cluster from a user-assigned identity to a system-assigned identity, the CommandOutputSettings must first be cleared using the command in the next section, then set using this command.

+## Clear the cluster's CommandOutputSettings

+The CommandOutputSettings can be cleared, directing run-data-extract output back to the cluster manager's storage. However, it isn't recommended since it's less secure, and the option will be removed in a future release.

+However, the CommandOutputSettings do need to be cleared if switching from a user-assigned identity to a system-assigned identity.

+Use this command to clear the CommandOutputSettings:

+```azurecli-interactive

+az rest --method patch \

+ --url "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<cluster-resource-group>/providers/Microsoft.NetworkCloud/clusters/<cluster-name>?api-version=2024-08-01-preview" \

+ --body '{"properties": {"commandOutputSettings":null}}'

+```

+## Verify Storage Account access (cluster manager storage)

+If using the deprecated Cluster Manager storage method, verify you have access to the Cluster Manager's storage account

+1. From Azure portal, navigate to Cluster Manager's Storage account.

+1. In the Storage account details, select **Storage browser** from the navigation menu on the left side.

+1. In the Storage browser details, select on **Blob containers**.

+1. If you encounter a `403 This request is not authorized to perform this operation.` while accessing the storage account, storage accountΓÇÖs firewall settings need to be updated to include the public IP address.

+1. Request access by creating a support ticket via Portal on the Cluster Manager resource. Provide the public IP address that requires access.

+## Execute a run command

+**`hardware-support-data-collection` Output**

+**Example list of hardware support files collected**

+ inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_BIOSAttribute.xml

+ inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_Sensor.xml

+ inflating: tsr/hardware/sysinfo/inventory/sysinfo_DCIM_View.xml

+ inflating: tsr/hardware/sysinfo/inventory/sysinfo_DCIM_SoftwareIdentity.xml

+ inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_Capabilities.xml

+ inflating: tsr/hardware/sysinfo/inventory/sysinfo_CIM_StatisticalData.xml

+ inflating: tsr/hardware/sysinfo/lcfiles/lclog_0.xml.gz

+ inflating: tsr/hardware/sysinfo/lcfiles/curr_lclog.xml

+ inflating: tsr/hardware/idracstateinfo/avc.log

+ extracting: tsr/hardware/idracstateinfo/avc.log.persistent.1

+**`mde-agent-information` Output**

+**Example JSON object collected**

+Data collected from the `mde-support-diagnostics` command uses the MDE Client Analyzer tool to bundle information from `mdatp` commands and relevant log files. The storage account `tgz` file contains a `zip` file named `mde-support-diagnostics-<hostname>.zip`. The `zip` should be sent along with any support requests to ensure the supporting teams can use the logs for troubleshooting and root cause analysis, if needed.

+**`mde-support-diagnostics` Output**

+Script execution result can be found in storage account:

+ https://cmmj627vvrzkst.blob.core.windows.net/bmm-run-command-output/7c5557b9-b6b6-a4a4-97ea-752c38918ded-action-bmmdataextcmd.tar.gz?se=2024-01-23T20%3A11%3A32Z&sig=9h20XlZO87J7fCr0S1234xcyu%2Fl%2BVuaDh1BE0J6Yfl8%3D&sp=r&spr=https&sr=b&st=2024-01-23T16%3A11%3A32Z&sv=2019-12-12

+After you download the execution result file, the support files can be unzipped for analysis.

+**Example list of information collected by the MDE Client Analyzer**

+ inflating: mde_diagnostic.zip

+ inflating: process_information.txt

+ inflating: auditd_info.txt

+ inflating: auditd_log_analysis.txt

+ inflating: auditd_logs.zip

+ inflating: ebpf_kernel_config.txt

+ inflating: ebpf_enabled_func.txt

+ inflating: ebpf_syscalls.zip

+ inflating: ebpf_raw_syscalls.zip

+ inflating: messagess.zip

+ inflating: conflicting_processes_information.txt

+in the data extract zip file located in the storage account. The data collected shows the health of the machine subsystems.

+**`hardware-rollup-status` Output**

+**Example JSON Collected**

+ "Members" :

+Vulnerability data is collected with the `cluster-cve-report` command and formatted as JSON to `{year}-{month}-{day}-nexus-cluster-vulnerability-report.json`. The JSON file is found in the data extract zip file located in the storage account. The data collected includes vulnerability data per container image in the cluster.

+**`cluster-cve-report` Output**

+**CVE Report Schema**

+**CVE Data Details**

+The CVE data is refreshed per container image every 24 hours or when there's a change to the Kubernetes resource referencing the image.

+The command provides another command (if using customer provided storage) or a link (if using cluster manager storage) to download the full output. The tar.gz file also contains the zipped extract command file outputs. Download the output file from the storage blob to a local directory by specifying the directory path in the optional argument `--output-directory`.

+> [!WARNING]

+> Using the `--output-directory` argument will overwrite any files in the local directory that have the same name as the new files being created.

+> [!NOTE]

+> Storage Account could be locked resulting in `403 This request is not authorized to perform this operation.` due to networking or firewall restrictions. Refer to the [customer-managed storage](#create-and-configure-storage-resources-customer-managed-storage) or [cluster manager storage](#verify-storage-account-access-cluster-manager-storage) sections for procedures to verify access.

+ Title: Troubleshoot baremetal machine issues using the `az networkcloud baremetalmachine run-read-command` for Operator Nexus

+There might be situations where a user needs to investigate & resolve issues with an on-premises BMM. Operator Nexus provides the `az networkcloud baremetalmachine run-read-command` so users can run a curated list of read only commands to get information from a BMM.

+The command produces an output file containing its results. Users should configure the Cluster resource with a storage account and identity that has access to the storage account to receive the output. There's a deprecated method of sending data to the Cluster Manager storage account if a storage account hasn't been provided on the Cluster. The Cluster Manager's storage account will be disabled in a future release as using a separate storage account is more secure.

+ [appropriate CLI extensions](./howto-install-cli-extensions.md)

+## Create and configure storage resources (customer-managed storage)

+1. Create a storage account, or identify an existing storage account that you want to use. See [Create an Azure storage account](/azure/storage/common/storage-account-create?tabs=azure-portal).

+2. In the storage account, create a blob storage container. See [Create a container](/azure/storage/blobs/storage-quickstart-blobs-portal#create-a-container).

+3. Assign the "Storage Blob Data Contributor" role to users and managed identities which need access to the run-read-command output. See [Assign an Azure role for access to blob data](/azure/storage/blobs/assign-azure-role-data-access?tabs=portal). The role must also be assigned to either a user-assigned managed identity or the cluster's own system-assigned managed identity. For more information on managed identities, see [Managed identities for Azure resources](/entra/identity/managed-identities-azure-resources/overview).

+When assigning a role to the cluster's system-assigned identity, make sure you select the resource with the type "Cluster (Operator Nexus)."

+## Configure the cluster to use a user-assigned managed identity for storage access

+Use this command to configure the cluster for a user-assigned identity:

+```azurecli-interactive

+az networkcloud cluster update --name "<cluster-name>" \

+ --resource-group "<cluster-resource-group>" \

+ --mi-user-assigned "<user-assigned-identity-resource-id>" \

+ --command-output-settings identity-type="UserAssignedIdentity" \

+ identity-resource-id="<user-assigned-identity-resource-id>" \

+ container-url="<container-url>" \

+ --subscription "<subscription>"

+```

+The identity resource ID can be found by clicking "JSON view" on the identity resource; the ID is at the top of the panel that appears. The container URL can be found on the Settings -> Properties tab of the container resource.

+## Configure the cluster to use a system-assigned managed identity for storage access

+Use this command to configure the cluster to use its own system-assigned identity:

+```azurecli-interactive

+az networkcloud cluster update --name "<cluster-name>" \

+ --resource-group "<cluster-resource-group>" \

+ --mi-system-assigned true \

+ --command-output-settings identity-type="SystemAssignedIdentity" \

+ container-url="<container-url>" \

+ --subscription "<subscription>"

+```

+To change the cluster from a user-assigned identity to a system-assigned identity, the CommandOutputSettings must first be cleared using the command in the next section, then set using this command.

+## Clear the cluster's CommandOutputSettings

+The CommandOutputSettings can be cleared, directing run-read-command output back to the cluster manager's storage. However, it isn't recommended since it's less secure, and the option will be removed in a future release.

+However, the CommandOutputSettings do need to be cleared if switching from a user-assigned identity to a system-assigned identity.

+Use this command to clear the CommandOutputSettings:

+```azurecli-interactive

+az rest --method patch \

+ --url "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<cluster-resource-group>/providers/Microsoft.NetworkCloud/clusters/<cluster-name>?api-version=2024-08-01-preview" \

+ --body '{"properties": {"commandOutputSettings":null}}'

+```

+## Verify Storage Account access (cluster manager storage)

+If using the deprecated Cluster Manager storage method, verify you have access to the Cluster Manager's storage account

+1. From Azure portal, navigate to Cluster Manager's Storage account.

+1. In the Storage account details, select **Storage browser** from the navigation menu on the left side.

+1. In the Storage browser details, select on **Blob containers**.

+1. If you encounter a `403 This request is not authorized to perform this operation.` while accessing the storage account, storage accountΓÇÖs firewall settings need to be updated to include the public IP address.

+1. Request access by creating a support ticket via Portal on the Cluster Manager resource. Provide the public IP address that requires access.

+## Execute a run-read command

+use these commands, you have to put all the words in the "command" field. For example,

+This list shows the commands you can use. Commands in `*italics*` can't have `arguments`; the rest can.

+- _`fdisk -l`_

+- _`hostname`_

+- _`ifconfig -a`_

+- _`ifconfig -s`_

+- _`mount`_

+- _`ss`_

+- _`ulimit -a`_

+- _`nc-toolbox nc-toolbox-runread racadm arp`_

+- _`nc-toolbox nc-toolbox-runread racadm coredump`_

+- _`nc-toolbox nc-toolbox-runread racadm getled`_

+- _`nc-toolbox nc-toolbox-runread racadm ifconfig`_

+- _`nc-toolbox nc-toolbox-runread racadm inlettemphistory get`_

+- _`nc-toolbox nc-toolbox-runread racadm netstat`_

+- _`nc-toolbox nc-toolbox-runread racadm racdump`_

+- _`nc-toolbox nc-toolbox-runread racadm swinventory`_

+- _`nc-toolbox nc-toolbox-runread racadm systemconfig getbackupscheduler`_

+- _`nc-toolbox nc-toolbox-runread racadm techsupreport getupdatetime`_

+- _`nc-toolbox nc-toolbox-runread racadm vflashsd status`_

+- _`nc-toolbox nc-toolbox-runread racadm vflashpartition list`_

+- _`nc-toolbox nc-toolbox-runread racadm vflashpartition status -a`_

+- `nc-toolbox nc-toolbox-runread mstconfig` (requires `query` arg)

+- `nc-toolbox nc-toolbox-runread mstflint` (requires `query` arg)

+- `nc-toolbox nc-toolbox-runread mstlink` (requires `query` arg)

+- `nc-toolbox nc-toolbox-runread mstfwmanager` (requires `query` arg)

+These commands can be long running so the recommendation is to set `--limit-time-seconds` to at least 600 seconds (10 minutes). Running multiple commands might take longer than 10 minutes.

+> [!WARNING]

+> Using the `--output-directory` argument will overwrite any files in the local directory that have the same name as the new files being created.

+1. Storage Account could be locked resulting in `403 This request is not authorized to perform this operation.` due to networking or firewall restrictions. Refer to the [customer-managed storage](#create-and-configure-storage-resources-customer-managed-storage) or [cluster manager storage](#verify-storage-account-access-cluster-manager-storage) sections for procedures to verify access.

+If you enable network security policies for user-defined routes, you can use a custom address prefix length (subnet mask) equal to or larger than the virtual network address space prefix length to invalidate the /32 default route propagated by the private endpoint. This capability can be useful if you want to ensure that private endpoint connection requests go through a firewall or virtual appliance. Otherwise, the /32 default route sends traffic directly to the private endpoint in accordance with the [longest prefix match algorithm](../virtual-network/virtual-networks-udr-overview.md#how-azure-selects-a-route).

+> To invalidate a private endpoint route, user-defined routes must have a prefix size that is equal to or smaller than the virtual network address space where the private endpoint is provisioned. For example, a user-defined routes default route (0.0.0.0/0) won't invalidate private endpoint routes because it covers a broader range than the private endpoint's address space. The longest prefix match rule will give higher priority to more specific address prefixes. Additionally, ensure that network policies are enabled in the subnet hosting the private endpoint.

+- To learn more, see [What is a private endpoint?](private-endpoint-overview.md).

+>| Azure Web Apps - Azure Function Apps (Microsoft.Web/sites) | sites | privatelink.azurewebsites.net </br> scm.privatelink.azurewebsites.net<sup>2</sup | azurewebsites.net </br> scm.azurewebsites.net |

+²In scenarios where the Kudu console or Kudu REST API is used, you must create two DNS records pointing to the private endpoint IP in your Azure DNS private zone or custom DNS server. The first record is for your app, and the second record is for the SCM (Source Control Management) of your app.

+>| Azure Web Apps (Microsoft.Web/sites) | sites | privatelink.azurewebsites.us </br> scm.privatelink.azurewebsites.us² | azurewebsites.us </br> scm.azurewebsites.us |

+²In scenarios where the Kudu console or Kudu REST API is used, you must create two DNS records pointing to the private endpoint IP in your Azure DNS private zone or custom DNS server. The first record is for your app, and the second record is for the SCM (Source Control Management) of your app.

+> [!NOTE]

+> Only one connection between a PLS and Internal Load Balancer is supported when using TCP Proxy v2

+- TCP Proxy v2 only supports one connection between a PLS and Internal Load Balancer

+> | <a name='service-fabric-cluster-contributor'></a>[Service Fabric Cluster Contributor](./built-in-roles/containers.md#service-fabric-cluster-contributor) | Manage your Service Fabric Cluster resources. Includes clusters, application types, application type versions, applications, and services. You will need additional permissions to deploy and manage the cluster's underlying resources such as virtual machine scale sets, storage accounts, networks, etc. | b6efc156-f0da-4e90-a50a-8c000140b017 |

+> | <a name='service-fabric-managed-cluster-contributor'></a>[Service Fabric Managed Cluster Contributor](./built-in-roles/containers.md#service-fabric-managed-cluster-contributor) | Deploy and manage your Service Fabric Managed Cluster resources. Includes managed clusters, node types, application types, application type versions, applications, and services. | 83f80186-3729-438c-ad2d-39e94d718838 |

+## Service Fabric Cluster Contributor

+Manage your Service Fabric Cluster resources. Includes clusters, application types, application type versions, applications, and services. You will need additional permissions to deploy and manage the cluster's underlying resources such as virtual machine scale sets, storage accounts, networks, etc.

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.ServiceFabric](../permissions/compute.md#microsoftservicefabric)/clusters/* | |

+> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |

+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment |

+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | *none* | |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "assignableScopes": [

+ "/"

+ ],

+ "description": "Manage your Service Fabric Cluster resources. Includes clusters, application types, application type versions, applications, and services. You will need additional permissions to deploy and manage the cluster's underlying resources such as virtual machine scale sets, storage accounts, networks, etc.",

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/b6efc156-f0da-4e90-a50a-8c000140b017",

+ "name": "b6efc156-f0da-4e90-a50a-8c000140b017",

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.ServiceFabric/clusters/*",

+ "Microsoft.Authorization/*/read",

+ "Microsoft.Insights/alertRules/*",

+ "Microsoft.Resources/deployments/*",

+ "Microsoft.Resources/subscriptions/resourceGroups/read"

+ ],

+ "notActions": [],

+ "dataActions": [],

+ "notDataActions": []

+ }

+ ],

+ "roleName": "Service Fabric Cluster Contributor",

+ "roleType": "BuiltInRole",

+ "type": "Microsoft.Authorization/roleDefinitions"

+}

+```

+## Service Fabric Managed Cluster Contributor

+Deploy and manage your Service Fabric Managed Cluster resources. Includes managed clusters, node types, application types, application type versions, applications, and services.

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.ServiceFabric](../permissions/compute.md#microsoftservicefabric)/managedclusters/* | |

+> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |

+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment |

+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | *none* | |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "assignableScopes": [

+ "/"

+ ],

+ "description": "Deploy and manage your Service Fabric Managed Cluster resources. Includes managed clusters, node types, application types, application type versions, applications, and services.",

+ "id": "/providers/Microsoft.Authorization/roleDefinitions/83f80186-3729-438c-ad2d-39e94d718838",

+ "name": "83f80186-3729-438c-ad2d-39e94d718838",

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.ServiceFabric/managedclusters/*",

+ "Microsoft.Authorization/*/read",

+ "Microsoft.Insights/alertRules/*",

+ "Microsoft.Resources/deployments/*",

+ "Microsoft.Resources/subscriptions/resourceGroups/read"

+ ],

+ "notActions": [],

+ "dataActions": [],

+ "notDataActions": []

+ }

+ ],

+ "roleName": "Service Fabric Managed Cluster Contributor",

+ "roleType": "BuiltInRole",

+ "type": "Microsoft.Authorization/roleDefinitions"

+}

+```

+> [!NOTE]

+> With some of the new M(b)v3 VM types, the usage of read cached Premium SSD v1 storage could result in lower read and write IOPS rates and throughput than you would get if you don't use read cache.

+Azure provides [multiple storage solutions](/azure/virtual-machines/disks-types).

+The table below details the support status

+> Azure Host Disk Cache for the DATA ASM Disk Group can be set to either Read Only or None. Consider that with some of the new M(b)v3 VM types, the usage of read cached Premium SSD v1 storage could result in lower read and write IOPS rates and throughput than you would get if you don't use read cache. All other ASM Disk Groups should be set to None. On BW or SCM a separate ASM Disk Group for TEMP can be considered for large or busy systems.

+In this document, covers several different areas to consider when deploying SAP ASE in Azure IaaS. As a precondition to this document, you read the document [Considerations for Azure Virtual Machines DBMS deployment for SAP workload](dbms-guide-general.md) and other guides in the [SAP workload on Azure documentation](./get-started.md). This document covers SAP ASE running on Linux and on Windows Operating Systems. The minimum supported release on Azure is SAP ASE 16.0.02 (Release 16 Support Pack 2). It's recommended to deploy the latest version of SAP with the most recent Patch Level. As a minimum SAP ASE 16.0.03.07 (Release 16 Support Pack 3 Patch Level 7) is recommended. The most recent version of SAP can be found in [Targeted ASE 16.0 Release Schedule and CR list Information](https://wiki.scn.sap.com/wiki/display/SYBASE/Targeted+ASE+16.0+Release+Schedule+and+CR+list+Information).

+The SAP Product Availability Matrix contains the supported Operating System and SAP Kernel combinations for each SAP application. Linux distributions SLES 12.x, SLES 15.x, RHEL 7.x, and RHEL 8.x are fully supported. Oracle Linux as operating system for SAP ASE isn't supported. It's recommended to use the most recent Linux releases available. Windows customers should use Windows Server 2016 or Windows Server 2019 releases. Older releases of Windows such as Windows 2012 are technically supported but the latest Windows version is always recommended.

+Microsoft Azure offers numerous different virtual machine types that allow you to run smallest SAP systems and landscapes up to large SAP systems and landscapes with thousands of users. SAP sizing SAPS numbers of the different SAP certified Virtual Machine (VM) SKUs is provided in [SAP support note #1928533](https://launchpad.support.sap.com/#/notes/1928533).

+Lock Pages in Memory is a setting that is preventing the SAP ASE database buffer from being paged out. This setting is useful for large busy systems with a high memory demand. Contact BC-DB-SYB for more information.

+The page size is typically 2,048 KB. For details see the article [Huge Pages on Linux](https://help.sap.com/viewer/ecbccd52e7024feaa12f4e780b43bc3b/16.0.3.7/en-US/a703d580bc2b10149695f7d838203fad.html)

+> [!NOTE]

+> With some of the new M(b)v3 VM types, the usage of read cached Premium SSD v1 storage could result in lower read and write IOPS rates and throughput than you would get if you don't use read cache.

+SAP ASE writes data sequentially into disk storage devices unless configured otherwise. This means an empty SAP ASE database with four devices wwrites data into the first device only. The other disk devices are only written into when the first device is full. The amount of READ and WRITE IO to each SAP ASE device is likely to be different. To balance disk IO across all available Azure disks, either Windows Storage Spaces or Linux LVM2 needs to be used. On Linux, it's recommended to use XFS file system to format the disks. The LVM stripe size should be tested with a performance test. 128 KB stripe size is a good starting point. On Windows, the NTFS Allocation Unit Size (AUS) should be tested. 64 KB can be used as a starting value.

+### Sample SAP ASE on Azure virtual machine, disk, and file system configurations

+The examples given below are for illustrative purposes and can be modified based on individual needs. Due to the design of SAP ASE, the number of data devices isn't as critical as with other databases. The number of data devices detailed in this document is a guide only. The configurations suggested should be treated as what they're. They're starting points for you. But they're configurations that are going to need some fine-tuning to your workload and cost efficiencies.

+- Floating IP with Fault Manager ΓÇô This solution can be used for SAP Business Suite and non-SAP Business Suite applications. This solution utilizes the Azure ILB and the SAP ASE database engine provides a Probe Port. The Fault Manager calls the SAPHostAgent to start or stop a secondary Floating IP on the ASE hosts. This solution is documented in [SAP note #3086679 - SYB: Fault

+> If a SAP ASE database is encrypted then Backup Dump Compression is not working. See also [SAP support note #2680905](https://launchpad.support.sap.com/#/notes/2680905)

+- Deploy on latest certified OS available such as Windows 2019, SLES 15, or RHEL 8

+And the links generated in transaction DBACockpit look similar to:

+Are helpful. Another useful document is [SAP Applications on SAP Adaptive Server Enterprise Best Practices for Migration and Runtime](https://assets.cdn.sap.com/sapcom/docs/2016/06/26450353-767c-0010-82c7-eda71af511fa.pdf).

+## New M-series VMs and SQL Server

+Azure released a few new families of M-series SKUs under the family of Mv3. Some of the VM types in this family should not be used for SQL Server, including SQL Server 2022. Reason is the number of NUMA nodes presented into the guest OS which with larger than 64 vCPUs is too large for SQL Server to accomodate. The specific VM types are:

+- M176(d)s_3_v3 - use M176bds_4_v3 or M176bds_4_v3 as alternative

+- M176(d)s_4_v3 - use M176bds_4_v3 as alternative

+- M624(d)s_12_v3 - use M416ms_v2 as alternative

+- M832(d)s_12_v3 - use M416ms_v2 as alternative

+- M832i(d)s_16_v3 - use M416ms_v2 as alternative

+> [!NOTE]

+> With some of the new M(b)v3 VM types, the usage of read cached Premium SSD v1 storage could result in lower read and write IOPS rates and throughput than you would get if you don't use read cache.

+> [!NOTE]

+> With some of the new M(b)v3 VM types, the usage of read cached Premium SSD v1 storage could result in lower read and write IOPS rates and throughput than you would get if you don't use read cache.

+- October 14, 2024: Change several database guides mentioning that with several Mv3 VM types, IOPS and throughput could be lower when using read cached Premium SSD v1 disks compared to using non-cached disks

+> [!NOTE]

+> With some of the new M(b)v3 VM types, the usage of read cached Premium SSD v1 storage could result in lower read and write IOPS rates and throughput than you would get if you don't use read cache.

+| **Automation rules with incident triggers** | In both the Azure portal and the unified security operations platform, the **Incident provider** condition property is removed, as all incidents have *Microsoft Defender XDR* as the incident provider (the value in the *ProviderName* field). <br><br>At that point, any existing automation rules run on both Microsoft Sentinel and Microsoft Defender XDR incidents, including those where the **Incident provider** condition is set to only *Microsoft Sentinel* or *Microsoft 365 Defender*. <br><br>However, automation rules that specify a specific analytics rule name run only on incidents that contain alerts that were created by the specified analytics rule. This means that you can define the **Analytic rule name** condition property to an analytics rule that exists only in Microsoft Sentinel to limit your rule to run on incidents only in Microsoft Sentinel. <br><br>For more information, see [Incident trigger conditions](../automate-incident-handling-with-automation-rules.md#conditions). |

+| **Changes to existing incident names** | In the unified SOC operations platform, the Defender portal uses a unique engine to correlate incidents and alerts. When onboarding your workspace to the unified SOC operations platform, existing incident names might be changed if the correlation is applied. To ensure that your automation rules always run correctly, we therefore recommend that you avoid using incident titles as condition criteria in your automation rules, and suggest instead to use the name of any analytics rule that created alerts included in the incident, and tags if more specificity is required. |

+OS disk maximum size | [4095 GiB](/azure/virtual-machines/managed-disks-overview#os-disk) | [Learn more](/azure/virtual-machines/managed-disks-overview) about VM disks.

+Data disk maximum size | 32 TiB for managed disks<br></br>4 TiB for unmanaged disks|

+Data disk minimum size | No restriction for unmanaged disks. 1 GiB for managed disks |

+Data disk maximum size per storage account (for unmanaged disks) | 35 TiB | This is an upper limit for cumulative size of page blobs created in a premium Storage Account

+### Azure Container Storage fails to install due to missing configuration

+### Azure Container Storage fails to install due to Azure Policy restrictions

+Azure Container Storage might fail to install if Azure Policy restrictions are in place. Specifically, Azure Container Storage relies on privileged containers, which can be blocked by Azure Policy. When this happens, the installation of Azure Container Storage might timeout or fail, and you might see errors in the `gatekeeper-controller` logs such as:

+```output

+{"level":"info","ts":1722622443.9484184,"logger":"webhook","msg":"denied admission: Privileged container is not allowed: prereq, securityContext: {\"privileged\": true, \"runAsUser\": 0}","hookType":"validation","process":"admission","details":{},"event_type":"violation","constraint_name":"azurepolicy-k8sazurev2noprivilege-686dd8b209a774ba977c","constraint_group":"constraints.gatekeeper.sh","constraint_api_version":"v1beta1","constraint_kind":"K8sAzureV2NoPrivilege","constraint_action":"deny","resource_group":"","resource_api_version":"v1","resource_kind":"Pod","resource_namespace":"acstor","resource_name":"azurecontainerstorage-prereq-gt58x","request_username":"system:serviceaccount:kube-system:daemon-set-controller"}

+{"level":"info","ts":1722622443.9839077,"logger":"webhook","msg":"denied admission: Privileged container is not allowed: metrics-exporter, securityContext: {\"privileged\": true}","hookType":"validation","process":"admission","details":{},"event_type":"violation","constraint_name":"azurepolicy-k8sazurev2noprivilege-686dd8b209a774ba977c","constraint_group":"constraints.gatekeeper.sh","constraint_api_version":"v1beta1","constraint_kind":"K8sAzureV2NoPrivilege","constraint_action":"deny","resource_group":"","resource_api_version":"v1","resource_kind":"Pod","resource_namespace":"acstor","resource_name":"azurecontainerstorage-metrics-exporter-286np","request_username":"system:serviceaccount:kube-system:daemon-set-controller"}

+{"level":"info","ts":1722622444.0515249,"logger":"webhook","msg":"denied admission: Privileged container is not allowed: csi-node, securityContext: {\"privileged\": true}","hookType":"validation","process":"admission","details":{},"event_type":"violation","constraint_name":"azurepolicy-k8sazurev2noprivilege-686dd8b209a774ba977c","constraint_group":"constraints.gatekeeper.sh","constraint_api_version":"v1beta1","constraint_kind":"K8sAzureV2NoPrivilege","constraint_action":"deny","resource_group":"","resource_api_version":"v1","resource_kind":"Pod","resource_namespace":"acstor","resource_name":"azurecontainerstorage-csi-node-7hcd7","request_username":"system:serviceaccount:kube-system:daemon-set-controller"}

+{"level":"info","ts":1722622444.0729053,"logger":"webhook","msg":"denied admission: Privileged container is not allowed: io-engine, securityContext: {\"privileged\": true}","hookType":"validation","process":"admission","details":{},"event_type":"violation","constraint_name":"azurepolicy-k8sazurev2noprivilege-686dd8b209a774ba977c","constraint_group":"constraints.gatekeeper.sh","constraint_api_version":"v1beta1","constraint_kind":"K8sAzureV2NoPrivilege","constraint_action":"deny","resource_group":"","resource_api_version":"v1","resource_kind":"Pod","resource_namespace":"acstor","resource_name":"azurecontainerstorage-io-engine-84hwx","request_username":"system:serviceaccount:kube-system:daemon-set-controller"}

+{"level":"info","ts":1722622444.0742755,"logger":"webhook","msg":"denied admission: Privileged container is not allowed: ndm, securityContext: {\"privileged\": true}","hookType":"validation","process":"admission","details":{},"event_type":"violation","constraint_name":"azurepolicy-k8sazurev2noprivilege-686dd8b209a774ba977c","constraint_group":"constraints.gatekeeper.sh","constraint_api_version":"v1beta1","constraint_kind":"K8sAzureV2NoPrivilege","constraint_action":"deny","resource_group":"","resource_api_version":"v1","resource_kind":"Pod","resource_namespace":"acstor","resource_name":"azurecontainerstorage-ndm-x6q5n","request_username":"system:serviceaccount:kube-system:daemon-set-controller"}

+{"level":"info","ts":1722622449.2412128,"logger":"webhook","msg":"denied admission: Privileged container is not allowed: ndm, securityContext: {\"privileged\": true}","hookType":"validation","process":"admission","details":{},"event_type":"violation","constraint_name":"azurepolicy-k8sazurev2noprivilege-686dd8b209a774ba977c","constraint_group":"constraints.gatekeeper.sh","constraint_api_version":"v1beta1","constraint_kind":"K8sAzureV2NoPrivilege","constraint_action":"deny","resource_group":"","resource_api_version":"v1","resource_kind":"Pod","resource_namespace":"acstor","resource_name":"azurecontainerstorage-ndm-b5nfg","request_username":"system:serviceaccount:kube-system:daemon-set-controller"}

+```

+To resolve this, youΓÇÖll need to add the `acstor` namespace to the exclusion list of your Azure Policy. Azure Policy is used to create and enforce rules for managing resources within Azure, including AKS clusters. In some cases, policies might block the creation of Azure Container Storage pods and components. You can find more details on working with Azure Policy for Kubernetes by consulting [Azure Policy for Kubernetes](/azure/governance/policy/concepts/policy-for-kubernetes).

+To add the `acstor` namespace to the exclusion list, follow these steps:

+1. [Create your Azure Kubernetes cluster](install-container-storage-aks.md).

+1. Enable Azure Policy for AKS.

+1. Create a policy that you suspect is blocking the installation of Azure Container Storage.

+1. Attempt to install Azure Container Storage in the AKS cluster.

+1. Check the logs for the gatekeeper-controller pod to confirm any policy violations.

+1. Add the `acstor` namespace to the exclusion list of the policy.

+1. Attempt to install Azure Container Storage in the AKS cluster again.

+ZRS for premium file shares is available for a subset of Azure regions:

+- (Africa) South Africa North

+- (Asia Pacific) Australia East

+- (Asia Pacific) China North 3

+- (Asia Pacific) Southeast Asia

+- (Asia Pacific) Korea Central

+- (Asia Pacific) East Asia

+- (Asia Pacific) Japan East

+- (Asia Pacific) Central India

+- (Canada) Canada Central

+- (Europe) France Central

+- (Europe) Germany West Central

+- (Europe) North Europe

+- (Europe) West Europe

+- (Europe) UK South

+- (Europe) Poland Central

+- (Europe) Norway East

+- (Europe) Spain Central

+- (Europe) Sweden Central

+- (Europe) Switzerland North

+- (Europe) Italy North

+- (Middle East) Qatar Central

+- (Middle East) Israel Central

+- (Middle East) UAE North

+- (North America) East US

+- (North America) East US 2

+- (North America) West US 2

+- (North America) West US 3

+- (North America) Central US

+- (North America) South Central US

+- (North America) Mexico Central

+- (South America) Brazil South

+- (US Government) US Gov Virginia

+| [Multimedia redirection](multimedia-redirection-video-playback-calls.md?pivots=azure-virtual-desktop) | Redirect video playback and calls from the desktop or app to the physical machine for faster processing and rendering. |

+| [Multimedia redirection](multimedia-redirection-video-playback-calls.md?pivots=windows-365) | Redirect video playback and calls from the Cloud PC or dev box to the physical machine for faster processing and rendering. |

+ - To disconnect the remote session when the session locks, toggle the switch to **Enabled**.

+ - To show the remote lock screen when the session locks, toggle the switch to **Disabled**.

+ - To disconnect the remote session when the session locks, toggle the switch to **Enabled**.

+ - To show the remote lock screen when the session locks, toggle the switch to **Disabled**.

+ Title: Developer integration with multimedia redirection for WebRTC-based calling apps in a remote session

+description: Learn how to integrate a website with multimedia redirection for WebRTC-based calling apps in a remote session from Azure Virtual Desktop, a Windows 365 Cloud PC, or Microsoft Dev Box.

+# Developer integration with multimedia redirection for WebRTC-based calling apps in a remote session

+Multimedia redirection redirects video playback and calls in a remote session from Azure Virtual Desktop, a Windows 365 Cloud PC, or Microsoft Dev Box to your local device for faster processing and rendering.

+Call redirection optimizes audio calls for WebRTC-based calling apps, reducing latency, and improving call quality. The connection happens between the local device and the telephony app server, where WebRTC calls are offloaded from a remote session to a local device. After the connection is established, call quality becomes dependent on the web page or app providers, just as it would with a non-redirected call.

+Call redirection can work with most WebRTC-based calling apps without modifications. However, there might be unsupported scenarios or you might want to provide a different experience in a remote session.

+This article provides information about supported API interfaces and instance methods, and shows JavaScript code snippets that you can use with the [`mediaDevices` property of the Navigator interface](https://developer.mozilla.org/docs/Web/API/Navigator/mediaDevices).

+The navigator interface is part of the [Media Capture and Streams API](https://developer.mozilla.org/docs/Web/API/Media_Capture_and_Streams_API) to integrate your website with call redirection. Together with the [WebRTC API](https://developer.mozilla.org/docs/Web/API/WebRTC_API), these APIs provide support for streaming audio and video data with WebRTC-based calling apps. Multimedia redirection replaces the implementation of the `mediaDevices` object in the APIs to detect call redirection, handle disconnection and reconnection events, and collect diagnostic information.

+> [!TIP]

+> When you want to test your integration with multimedia redirection, you can enable call redirection to be available for all websites. For more information, see [Enable call redirection for all sites for testing](multimedia-redirection-video-playback-calls.md#enable-call-redirection-for-all-sites-for-testing).

+## Supported API interfaces and instance methods

+Call redirection is designed to seamlessly replace standard WebRTC usage with an implementation that redirects calls from a remote session to the local device.

+Here's a list of the supported interfaces and instance methods used by call redirection from the [Media Capture and Streams API](https://developer.mozilla.org/docs/Web/API/Media_Capture_and_Streams_API) and [WebRTC API](https://developer.mozilla.org/docs/Web/API/WebRTC_API):

+- [`AnalyserNode`](https://developer.mozilla.org/docs/Web/API/AnalyserNode)

+- [`AudioContext`](https://developer.mozilla.org/docs/Web/API/AudioContext)

+- [`HTMLAudioElement`](https://developer.mozilla.org/docs/Web/API/HTMLAudioElement)

+- [`MediaDevices`](https://developer.mozilla.org/docs/Web/API/MediaDevices)

+ - [`enumerateDevices`](https://developer.mozilla.org/docs/Web/API/MediaDevices/enumerateDevices)

+ - [`getUserMedia`](https://developer.mozilla.org/docs/Web/API/MediaDevices/getUserMedia)

+- [`MediaStream`](https://developer.mozilla.org/docs/Web/API/MediaStream)

+- [`MediaStreamAudioDestinationNode`](https://developer.mozilla.org/docs/Web/API/MediaStreamAudioDestinationNode)

+- [`MediaStreamAudioSourceNode`](https://developer.mozilla.org/docs/Web/API/MediaStreamAudioSourceNode)

+- [`MediaStreamTrack`](https://developer.mozilla.org/docs/Web/API/MediaStreamTrack)

+- [`RTCDataChannel`](https://developer.mozilla.org/docs/Web/API/RTCDataChannel)

+- [`RTCPeerConnection`](https://developer.mozilla.org/docs/Web/API/RTCPeerConnection)

+- [`RTCRtpReceiver`](https://developer.mozilla.org/docs/Web/API/RTCRtpReceiver)

+- [`RTCRtpSender`](https://developer.mozilla.org/docs/Web/API/RTCRtpSender)

+- [`RTCRtpTransceiver`](https://developer.mozilla.org/docs/Web/API/RTCRtpTransceiver)

+### Known limitations

+Call redirection has the following API limitations:

+- Only a limited number of `WebAudio` nodes are supported currently.

+- `setSinkId` on an `HTMLAudioElement` works for WebRTC `srcObject` tracks, however any local playback, such as a ringtone, always plays on the default audio output of the remote session.

+- As some APIs return synchronously under normal conditions but have to be proxies when used with call redirection, it's possible that the state of an object isn't available immediately.

+## Detecting call redirection

+To detect whether call redirection is active, you can check the `isRemote` property of the `MediaDevices` object. If this property is `true`, call redirection is active. If this property is `undefined` or `false`, call redirection isn't active.

+```javascript

+window.navigator.mediaDevices['isRemote'] = true;

+```

+## Detecting disconnection from a remote session

+When a user disconnects and reconnects to a remote session when using call redirection on a web page, the local WebRTC instance that supported the objects is no longer available. Typically, if a user refreshes the page, they're able to make calls again.

+The web page can detect and handle these disconnect and reconnect events by tearing down and recreating all WebRTC objects, audio or video elements, and `MediaStream` or `MediaStreamTrack` interfaces. This approach eliminates the need to refresh the web page.

+To get notified of these events, register the `rdpClientConnectionStateChanged` event on the `MediaDevices` object, as shown in the following example. This event contains the new state, which can be either `connected` or `disconnected`.

+```javascript

+navigator.mediaDevices.addEventListener('rdpClientConnectionStateChanged', () =>

+ console.log("state change: " + event.detail.state);

+);

+```

+## Call redirection diagnostics

+The following example lists the properties exposed on the `MediaDevices` object. They provide specific diagnostic info about the versions of call redirection being used and session identifiers. This information is useful when reporting issues to Microsoft and we recommend you collect it as part of your own telemetry or diagnostics data.

+```javascript

+window.navigator.mediaDevices['mmrClientVersion'];

+window.navigator.mediaDevices['mmrHostVersion'];

+window.navigator.mediaDevices['mmrExtensionVersion'];

+window.navigator.mediaDevices['activityId'];

+window.navigator.mediaDevices['connectionId'];

+```

+Here's what each property represents:

+- **mmrClientVersion**: the version of the file `MsMmrDVCPlugin.dll` on the local machine, which comes as part of Windows App and the Remote Desktop app.

+- **mmrHostVersion**: the version of the file `MsMMRHost.exe` installed on the session host, Cloud PC, or dev box.

+- **mmrExtensionVersion**: the version of the Microsoft Multimedia Redirection extension running in the browser.

+- **activityId**: a unique identifier that Microsoft uses to associate telemetry to a specific session and maps to current web page multimedia redirection is redirecting.

+- **connectionId**: a unique identifier that Microsoft uses to associate telemetry to a specific session and relates to the given connection between the local device and the remote session.

+All of this information is available to the end user in the details of the browser extension, but this example provides a programmatic way to collect it.

+## Call redirection logs

+By default, multimedia redirection doesn't log to the console. The browser extension has a button to for users to collect logs. The following example shows how you can enable console logs programmatically. You might want to do enable console logs programmatically if you're working on integration or capturing an issue that requires longer running logs than the option in the browser extension interface provides.

+```javascript

+window.navigator.mediaDevices['mmrConsoleLoggingEnabled'] = true;

+```

+You might also want to programmatically collect multimedia redirection logs to aid in investigations. All logs for the web page are also available by registering for the `mmrExtensionLog` event on the document.

+The event object has two properties under **detail**:

+- **Level**: denotes what kind of trace the entry is and allows you to filter for specific events. Level is one of the following values:

+ - info

+ - verbose

+ - warning

+ - error

+- **Message**: the text-based trace message.

+The following example shows how to register for the `mmrExtensionLog` event:

+```javascript

+document.addEventListener('mmrExtensionLog', () =>

+ console.log("MMR event, level:" + event.detail.level + " : " + event.detail.message);

+);

+```

+## Related content

+Learn more about [Multimedia redirection for video playback and calls in a remote session](multimedia-redirection-video-playback-calls.md).

+ Title: Multimedia redirection for video playback and calls in a remote session

+description: Learn how multimedia redirection redirects video playback and calls in a remote session from Azure Virtual Desktop, a Windows 365 Cloud PC, or Microsoft Dev Box to your local device for faster processing and rendering.

+zone_pivot_groups: rdp-products-features

+# Multimedia redirection for video playback and calls in a remote session

+Multimedia redirection redirects video playback and calls in a remote session from Azure Virtual Desktop, a Windows 365 Cloud PC, or Microsoft Dev Box to your local device for faster processing and rendering. Specifically, these two functions work in the following ways:

+- **Video playback redirection**: optimizes video playback experience for web pages with embedded videos like YouTube and Facebook. The browser in the remote session fetches video content, but the bitstream of video data is sent to the local device where it decodes and renders the video in the correct place on the screen.

+ :::image type="content" source="media/multimedia-redirection/video-playback-redirection.png" alt-text="A diagram depicting the relationship between the video source, the remote session, and the local device." lightbox="media/multimedia-redirection/video-playback-redirection.png":::

+- **Call redirection**: optimizes audio calls for WebRTC-based calling apps, reducing latency, and improving call quality. The connection happens between the local device and the telephony app server, where WebRTC calls are offloaded from a remote session to a local device, as shown in the following diagram. However, after the connection is established, call quality becomes dependent on the web page or app providers, just as it would with a non-redirected call.

+ :::image type="content" source="media/multimedia-redirection/call-redirection.png" alt-text="A diagram depicting the relationship between the telephony web app server, the user, the web app, and other callers." lightbox="media/multimedia-redirection/call-redirection.png":::

+There are two components you need to install for multimedia redirection:

+- Remote Desktop Multimedia Redirection Service

+- Browser extension for Microsoft Edge or Google Chrome browsers

+This article shows you install and configure multimedia redirection in a remote session from Azure Virtual Desktop, a Windows 365 Cloud PC, or Microsoft Dev Box with Microsoft Edge or Google Chrome browsers, and manage settings for the browser extension using Microsoft Intune or Group Policy. Additionally, this article shows you how to manage settings for the browser extension in Microsoft Edge using the Microsoft Edge management service.

+Later in the article you can find a list of websites that work with multimedia redirection for [video playback](#websites-for-video-playback-redirection) and [calls](#websites-for-call-redirection).

+## Prerequisites

+Before you can use multimedia redirection, you need:

+- An existing host pool with session hosts.

+- Local administrator privilege on your session hosts to install and update the Remote Desktop Multimedia Redirection Service.

+- The latest version of Microsoft Edge or Google Chrome installed on your session hosts.

+- Microsoft Visual C++ Redistributable 2015-2022, version 14.32.31332.0 or later installed on your session hosts and local Windows devices. You can download the latest version from [Microsoft Visual C++ Redistributable latest supported downloads](/cpp/windows/latest-supported-vc-redist).

+- An existing Cloud PC.

+- Local administrator privilege on your Cloud PC to install and update the Remote Desktop Multimedia Redirection Service.

+- The latest version of Microsoft Edge or Google Chrome installed on your Cloud PC.

+- Microsoft Visual C++ Redistributable 2015-2022, version 14.32.31332.0 or later installed on your Cloud PC and local Windows devices. You can download the latest version from [Microsoft Visual C++ Redistributable latest supported downloads](/cpp/windows/latest-supported-vc-redist).

+- An existing dev box.

+- Local administrator privilege on your dev box to install and update the Remote Desktop Multimedia Redirection Service.

+- The latest version of Microsoft Edge or Google Chrome installed on your dev box.

+- Microsoft Visual C++ Redistributable 2015-2022, version 14.32.31332.0 or later installed on your dev box and local Windows devices. You can download the latest version from [Microsoft Visual C++ Redistributable latest supported downloads](/cpp/windows/latest-supported-vc-redist).

+- To configure multimedia redirection using Microsoft Intune, you need:

+ - Microsoft Entra ID account that is assigned the [Policy and Profile manager](/mem/intune/fundamentals/role-based-access-control-reference#policy-and-profile-manager) built-in RBAC role.

+ - A group containing the devices you want to configure.

+- To configure multimedia redirection using Group Policy, you need:

+ - A domain account that has permission to create or edit Group Policy objects.

+ - A security group or organizational unit (OU) containing the devices you want to configure.

+- You need to connect to a remote session from one of the following supported apps and platforms:

+ - Windows App on Windows, version 2.0.297.0 or later.

+ - Remote Desktop app on Windows, version 1.2.5709 or later.

+- Your local Windows device must meet the [hardware requirements for Teams on a Windows PC](/microsoftteams/hardware-requirements-for-the-teams-app#hardware-requirements-for-teams-on-a-windows-pc/).

+> [!NOTE]

+> Multimedia redirection isn't supported on Azure Virtual Desktop for Azure US Government, or Windows 365 for Microsoft 365 Government (GCC), GCC-High environments, and Microsoft 365 DoD.

+## Install multimedia redirection on session hosts

+There are two components you need to install on your session hosts:

+## Install multimedia redirection on a Cloud PC

+> [!IMPORTANT]

+> Multimedia redirection is already installed on Microsoft gallery images for Windows 365. You only need to install multimedia redirection on your Cloud PC if you're using a custom image.

+There are two components you need to install on your Cloud PC:

+## Install multimedia redirection on a dev box

+There are two components you need to install on your dev box:

+- Remote Desktop Multimedia Redirection Service

+- Browser extension for Microsoft Edge or Google Chrome browsers

+You install both the multimedia redirection service and browser extension from a single `.msi` file, which you can run manually, use Intune [Win32 app management](/mem/intune/apps/apps-win32-app-management), or your enterprise deployment tool with [msiexec](/windows-server/administration/windows-commands/msiexec). To install the `.msi` file:

+1. Download the [multimedia redirection installer](https://aka.ms/avdmmr/msi).

+1. Make sure Microsoft Edge or Google Chrome isn't running. Check in Task Manager that there are no instances of `msedge.exe` or `chrome.exe` listed in the **Details** tab.

+1. Install the `.msi` file using one of the following methods:

+ - To install it manually, open the file that you downloaded to run the setup wizard, then follow the prompts. After it's installed, select **Finish**.

+ - Alternatively, use the following command with Intune or your enterprise deployment tool as an administrator from Command Prompt. This example specifies there's no UI or user interaction required during the installation process.

+ ```cmd

+ msiexec /i <path to the MSI file> /qn

+ ```

+After you install the multimedia redirection service and browser extension, next you need to enable the browser extension.

+> [!IMPORTANT]

+> The Remote Desktop Multimedia Redirection Service doesn't update automatically. You need to update the service manually when a new version is available. You can download the latest version from the same URL in this section and install using the same steps, which automatically replaces the previous version. For information about the latest version, see [What's new in multimedia redirection](whats-new-multimedia-redirection.md).

+>

+> The browser extension updates automatically when a new version is available.

+## Enable the browser extension

+By default, users are automatically prompted to enable the extension when they open their browser. You can also enable and manage the browser extension from Microsoft Edge Add-ons or the Chrome Web Store for all users by using Microsoft Intune or Group Policy, or the Microsoft Edge management service (for Microsoft Edge only).

+Managing the browser extension has the following benefits:

+- Enable the browser extension silently and without user interaction.

+- Restrict which web pages use multimedia redirection.

+- Show or hide advanced settings for the browser extension.

+- Pin the browser extension to the browser toolbar.

+Select the relevant tab for your scenario.

+For Windows 365, we recommend using Microsoft Intune to enable the multimedia redirection browser extension.

+# [Microsoft Intune](#tab/intune)

+To enable the multimedia redirection browser extension using Microsoft Intune, expand one of the following sections, depending on which browser you're using:

+<br />

+<details>

+ <summary>For <b>Microsoft Edge</b>, expand this section.</summary>

+1. Sign in to the [Microsoft Intune admin center](https://endpoint.microsoft.com/).

+1. [Create or edit a configuration profile](/mem/intune/configuration/administrative-templates-windows) for **Windows 10 and later** devices, with the **Settings catalog** profile type.

+1. In the settings picker, browse to **Microsoft Edge** > **Extensions**.

+ :::image type="content" source="media/multimedia-redirection/microsoft-edge-extensions-intune.png" alt-text="A screenshot showing the Microsoft Edge extensions options in the Microsoft Intune portal." lightbox="media/multimedia-redirection/microsoft-edge-extensions-intune.png":::

+1. Check the box for **Configure extension management settings**, then close the settings picker.

+1. Expand the **Microsoft Edge** category, then toggle the switch for **Configure extension management settings** to **Enabled**

+ :::image type="content" source="media/multimedia-redirection/microsoft-edge-extensions-intune-configure-extension-management-settings.png" alt-text="A screenshot showing the Microsoft Edge extensions management settings in the Microsoft Intune portal." lightbox="media/multimedia-redirection/microsoft-edge-extensions-intune-configure-extension-management-settings.png":::

+1. In the box that appears for **Configure extension management settings (Device)**, enter the following JSON as a single line string. This example installs the extension with the required update URL:

+ ```json

+ {

+ "joeclbldhdmoijbaagobkhlpfjglcihd": {

+ "installation_mode": "force_installed",

+ "update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx",

+ }

+ }

+ ```

+ > [!NOTE]

+ > You can specify additional parameters to allow or block specific sites for redirection and to show or hide advanced settings. For more information, see:

+ > - [Common policy configuration parameters](#common-policy-configuration-parameters).

+ > - [Allow or block video playback redirection for specific domains](#allow-or-block-video-playback-redirection-for-specific-domains).

+ > - [Enable call redirection for specific domains](#enable-call-redirection-for-specific-domains).

+1. Select **Next**.

+1. *Optional*: On the **Scope tags** tab, select a scope tag to filter the profile. For more information about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).

+1. On the **Assignments** tab, select the group containing the computers providing a remote session you want to configure, then select **Next**.

+1. On the **Review + create** tab, review the settings, then select **Create**.

+1. After the policy applies to the computers providing a remote session, restart them for the settings to take effect.

+</details>

+<br />

+<details>

+ <summary>For <b>Google Chrome</b>, expand this section.</summary>

+1. Download the [administrative template for Google Chrome](https://chromeenterprise.google/browser/download/#manage-policies-tab). Select the option **Chrome ADM/ADMX templates** to download the ZIP file.

+1. Sign in to the [Microsoft Intune admin center](https://endpoint.microsoft.com/).

+1. Follow the steps to [Import custom ADMX and ADML administrative templates into Microsoft Intune](/mem/intune/configuration/administrative-templates-import-custom). You need to import the `google.admx` and `google.adml` first, then import `chrome.admx` and `chrome.adml`.

+1. After you imported the Google Chrome administrative template, follow the steps to [Create a profile using your imported files](/mem/intune/configuration/administrative-templates-import-custom#create-a-profile-using-your-imported-files)

+1. In configuration settings, browse to **Computer Configuration** > **Google** > **Google Chrome** > **Extensions**.

+ :::image type="content" source="media/multimedia-redirection/google-chrome-extensions-administrative-template-intune.png" alt-text="A screenshot showing the Google Chrome extensions options in the Microsoft Intune portal." lightbox="media/multimedia-redirection/google-chrome-extensions-administrative-template-intune.png":::

+1. Select **Extension management settings**, which opens a new pane. Scroll to the end, then select **Enabled**.

+ :::image type="content" source="media/multimedia-redirection/google-chrome-extensions-administrative-template-intune-enabled.png" alt-text="A screenshot showing the Google Chrome extensions management settings in the Microsoft Intune portal." lightbox="media/multimedia-redirection/google-chrome-extensions-administrative-template-intune-enabled.png":::

+1. In the box, enter the following JSON as a single line string. This example installs the extension with the required update URL:

+ ```json

+ {

+ "lfmemoeeciijgkjkgbgikoonlkabmlno": {

+ "installation_mode": "force_installed",

+ "update_url": "https://clients2.google.com/service/update2/crx",

+ }

+ }

+ ```

+ > [!NOTE]

+ > You can specify additional parameters to allow or block specific sites for redirection and to show or hide advanced settings. For more information, see:

+ > - [Common policy configuration parameters](#common-policy-configuration-parameters).

+ > - [Allow or block video playback redirection for specific domains](#allow-or-block-video-playback-redirection-for-specific-domains).

+ > - [Enable call redirection for specific domains](#enable-call-redirection-for-specific-domains).

+1. Select **OK**, then select **Next**.

+1. *Optional*: On the **Scope tags** tab, select a scope tag to filter the profile. For more information about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).

+1. On the **Assignments** tab, select the group containing the computers providing a remote session you want to configure, then select **Next**.

+1. On the **Review + create** tab, review the settings, then select **Create**.

+1. After the policy applies to the computers providing a remote session, restart them for the settings to take effect.

+</details>

+# [Group Policy](#tab/group-policy)

+To enable the multimedia redirection browser extension using Group Policy:

+<br />

+<details>

+ <summary>For <b>Microsoft Edge</b>, expand this section.</summary>

+1. Download and install the Microsoft Edge administrative template by following the directions in [Configure Microsoft Edge policy settings on Windows devices](/deployedge/configure-microsoft-edge#1-download-and-install-the-microsoft-edge-administrative-template).

+1. Open the **Group Policy Management** console on device you use to manage the Active Directory domain.

+1. Create or edit a policy that targets the computers providing a remote session you want to configure.

+1. Navigate to **Computer Configuration** > **Policies** > **Administrative Templates** > **Microsoft Edge** > **Extensions**.

+ :::image type="content" source="media/multimedia-redirection/microsoft-edge-extensions-group-policy.png" alt-text="A screenshot showing the Microsoft Edge extensions options in the Group Policy editor." lightbox="media/multimedia-redirection/microsoft-edge-extensions-group-policy.png":::

+1. Double-click the policy setting **Configure extension management settings** to open it.

+ :::image type="content" source="media/multimedia-redirection/microsoft-edge-extensions-group-policy-extension-management-settings-enabled.png" alt-text="A screenshot showing the Microsoft Edge extensions management settings in the Group Policy editor." lightbox="media/multimedia-redirection/microsoft-edge-extensions-group-policy-extension-management-settings-enabled.png":::

+1. Select **Enabled**, then in the field for **Configure extension management settings**, enter the following JSON as a single line string. This example installs the extension with the required update URL:

+ ```json

+ {

+ "joeclbldhdmoijbaagobkhlpfjglcihd": {

+ "installation_mode": "force_installed",

+ "update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx",

+ }

+ }

+ ```

+ > [!NOTE]

+ > You can specify additional parameters to allow or block specific sites for redirection and to show or hide advanced settings. For more information, see:

+ > - [Common policy configuration parameters](#common-policy-configuration-parameters).

+ > - [Allow or block video playback redirection for specific domains](#allow-or-block-video-playback-redirection-for-specific-domains).

+ > - [Enable call redirection for specific domains](#enable-call-redirection-for-specific-domains).

+1. Ensure the policy is applied to the computers providing a remote session, then restart them for the settings to take effect.

+</details>

+<br />

+<details>

+ <summary>For <b>Google Chrome</b>, expand this section.</summary>

+1. Download the [administrative template for Google Chrome](https://chromeenterprise.google/browser/download/#manage-policies-tab). Select the option **Chrome ADM/ADMX templates** to download the ZIP file.

+1. On your domain controllers, copy and paste the following files to the relevant location, depending if you store Group Policy templates in the local `PolicyDefinitions` folder or the [Group Policy Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store). Replace `contoso.com` with your domain name, and `en-US` if you're using a different language.

+ - **Filename**: `terminalserver-avd.admx`

+ - **Local location**: `C:\Windows\PolicyDefinitions\`

+ - **Central Store**: `\\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions`

+ - **Filename**: `en-US\terminalserver-avd.adml`

+ - **Local location**: `C:\Windows\PolicyDefinitions\en-US\`

+ - **Central Store**: `\\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions\en-US`

+1. Open the **Group Policy Management** console on device you use to manage the Active Directory domain.

+1. Create or edit a policy that targets the computers providing a remote session you want to configure.

+1. Navigate to **Computer Configuration** > **Policies** > **Administrative Templates** > **Google** > **Google Chrome** > **Extensions**.

+ :::image type="content" source="media/multimedia-redirection/google-chrome-extensions-group-policy.png" alt-text="A screenshot showing the Google Chrome extensions options in the Group Policy editor." lightbox="media/multimedia-redirection/google-chrome-extensions-group-policy.png":::

+1. Double-click the policy setting **Extension management settings** to open it.

+ :::image type="content" source="media/multimedia-redirection/google-chrome-extensions-group-policy-extension-management-settings-enabled.png" alt-text="A screenshot showing the Google Chrome extensions management settings in the Group Policy editor." lightbox="media/multimedia-redirection/google-chrome-extensions-group-policy-extension-management-settings-enabled.png":::

+1. Select **Enabled**, then in the field for **Extension management settings**, enter the following JSON as a single line string. This example installs the extension with the required update URL:

+ ```json

+ {

+ "lfmemoeeciijgkjkgbgikoonlkabmlno": {

+ "installation_mode": "force_installed",

+ "update_url": "https://clients2.google.com/service/update2/crx",

+ }

+ }

+ ```

+ > [!NOTE]

+ > You can specify additional parameters to allow or block specific sites for redirection and to show or hide advanced settings. For more information, see:

+ > - [Common policy configuration parameters](#common-policy-configuration-parameters).

+ > - [Allow or block video playback redirection for specific domains](#allow-or-block-video-playback-redirection-for-specific-domains).

+ > - [Enable call redirection for specific domains](#enable-call-redirection-for-specific-domains).

+1. Ensure the policy is applied to the computers providing a remote session, then restart them for the settings to take effect.

+</details>

+# [Microsoft Edge management service](#tab/edge)

+To enable the multimedia redirection browser extension using the Microsoft Edge management service:

+1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/).

+1. [Create a configuration profile](/deployedge/microsoft-edge-management-service) for Microsoft Edge.

+1. After the profile is created, select it, then select **Extensions**.

+ :::image type="content" source="media/multimedia-redirection/microsoft-edge-configuration-profile-extensions-empty.png" alt-text="A screenshot showing the empty extensions tab in a Microsoft Edge configuration profile." lightbox="media/multimedia-redirection/microsoft-edge-configuration-profile-extensions-empty.png":::

+1. Select **+ Select extension**.

+1. In the new pane that opens, enter extension ID `joeclbldhdmoijbaagobkhlpfjglcihd` into the search box. The Microsoft Multimedia Redirection extension appears in the search results. Select **Select** and close the pane. You can't search for it by name.

+ :::image type="content" source="media/multimedia-redirection/microsoft-edge-configuration-profile-extensions-multimedia-redirection-search.png" alt-text="A screenshot showing the search results for the Microsoft Multimedia Redirection extension in a Microsoft Edge configuration profile." lightbox="media/multimedia-redirection/microsoft-edge-configuration-profile-extensions-multimedia-redirection-search.png":::

+1. Select the **Microsoft Multimedia Redirection** extension display name, which opens a new pane. From this pane you can configure the extension settings, based on your requirements. You can also use any of the JSON examples for Microsoft Edge in this article to add the extension or modify its settings.

+ :::image type="content" source="media/multimedia-redirection/microsoft-edge-configuration-profile-extensions-multimedia-redirection-settings.png" alt-text="A screenshot showing the Microsoft Multimedia Redirection extension settings in a Microsoft Edge configuration profile." lightbox="media/multimedia-redirection/microsoft-edge-configuration-profile-extensions-multimedia-redirection-settings.png":::

+1. Follow the steps to [Assign a configuration profile to a Microsoft Entra group](/deployedge/microsoft-edge-management-service#assign-a-configuration-profile-to-a-microsoft-entra-group), then [Configure Microsoft Edge to use a configuration profile](/deployedge/microsoft-edge-management-service#configure-microsoft-edge-to-use-a-configuration-profile) to apply the profile to the groups of users you specify.

+## Common policy configuration parameters

+The following sections show some examples of policy configuration parameters for the browser you can use to manage the multimedia redirection browser extension that are common for both video playback and call redirection. You can use these examples as part of the steps in [Enable the browser extension](#enable-the-browser-extension). Combine these examples with the parameters you require for your users.

+> [!NOTE]

+> The following examples are for Microsoft Edge. For Google Chrome:

+>

+> - Change `joeclbldhdmoijbaagobkhlpfjglcihd` to `lfmemoeeciijgkjkgbgikoonlkabmlno`.

+> - Change the `update_url` to `https://clients2.google.com/service/update2/crx`.

+### Show or hide the extension on the browser toolbar

+You can show or hide the extension icon on the browser toolbar. By default, extension icons are hidden from the toolbar.

+The following example installs the extension and shows the extension icon on the toolbar by default, but still allows users to hide it. Other values are `force_shown` and `default_hidden`. For more information about configuring extensions for Microsoft Edge, see [A detailed guide to configuring extensions using the ExtensionSettings policy](/deployedge/microsoft-edge-manage-extensions-ref-guide).

+```json

+{

+ "joeclbldhdmoijbaagobkhlpfjglcihd": {

+ "installation_mode": "force_installed",

+ "update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx",

+ "toolbar_state": "default_shown"

+ }

+}

+```

+### Show or hide advanced settings button

+You can show or hide the advanced settings button to users in the extension. By default, the advanced settings button is shown and users have access to toggle each setting on or off. If you hide the advanced settings button, users can still collect logs.

+Here's what the extension looks like when the advanced settings button is hidden:

+This example installs the extension and hides the advanced settings button. Alternatively, to show the advanced settings button, set `HideAdvancedSettings` to `false`.

+```json

+{

+ "joeclbldhdmoijbaagobkhlpfjglcihd": {

+ "installation_mode": "force_installed",

+ "update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx",

+ "HideAdvancedSettings": true

+ }

+}

+```

+## Browser extension status

+The extension icon changes based on whether multimedia redirection is available on the current web page and which features are supported. The following table shows the different states of the extension icon and their definitions:

+| Icon State | Definition |

+|--|--|

+| :::image type="content" source="./media/multimedia-redirection/browser-extension-icon-loaded.png" alt-text="The multimedia redirection extension is loaded, indicating that content on the web page can be redirected."::: | The multimedia redirection extension is loaded, indicating that the website can be redirected. |

+| :::image type="content" source="./media/multimedia-redirection/browser-extension-icon-not-loaded.png" alt-text="The multimedia redirection extension isn't loaded, indicating that content on the web page isn't redirected."::: | The multimedia redirection extension isn't loaded, indicating that content on the web page isn't redirected. |

+| :::image type="content" source="./media/multimedia-redirection/browser-extension-icon-video-playback.png" alt-text="The multimedia redirection extension is currently redirecting video playback."::: | The multimedia redirection extension is currently redirecting video playback. |

+| :::image type="content" source="./media/multimedia-redirection/browser-extension-icon-call.png" alt-text="The multimedia redirection extension is currently redirecting a call."::: | The multimedia redirection extension is currently redirecting a call. |

+| :::image type="content" source="./media/multimedia-redirection/browser-extension-icon-error.png" alt-text="The multimedia redirection extension failed to load correctly. You might need to uninstall and reinstall the extension or the Remote Desktop Multimedia Redirection Service, then try again."::: | The multimedia redirection extension failed to load correctly. You might need to uninstall and reinstall the extension or the Remote Desktop Multimedia Redirection Service, then try again. |

+## Video playback redirection

+The following sections contain information about how to test video playback redirection and how you can configure advanced settings.

+### Websites for video playback redirection

+The following websites are known to work with video playback redirection, and which work by default.

+ :::column span="":::

+ - `AnyClip`

+ - `AWS Training`

+ - `BBC`

+ - `Big Think`

+ - `Bleacher Report`

+ - `Brightcove`

+ - `CNBC`

+ - `Coursera`

+ - `Daily Mail`

+ - `Facebook`

+ - `Fidelity`

+ - `Flashtalking`

+ - `Fox Sports`

+ :::column-end:::

+ :::column span="":::

+ - `Fox Weather`

+ - `IMDB`

+ - `Infosec Institute`

+ - `LinkedIn Learning`

+ - `Microsoft Learn`

+ - `Microsoft Stream`

+ - `Microsoft Teams live events`

+ - `NBC Sports`

+ - `The New York Times`

+ - `Pluralsight`

+ - `Politico`

+ - `Reuters`

+ - `Skillshare`

+ :::column-end:::

+ :::column span="":::

+ - `The Guardian`

+ - `Twitch`

+ - `Udemy`\*

+ - `UMU`

+ - `U.S. News`

+ - `Vidazoo`

+ - `Vimeo`

+ - `The Wall Street Journal`

+ - `X`

+ - `Yahoo`

+ - `Yammer`

+ - `YouTube` (including sites with embedded `YouTube` videos).

+ :::column-end:::

+> [!IMPORTANT]

+> Video playback redirection doesn't support protected content. Protected content can be played without multimedia redirection using regular video playback.

+### Test video playback redirection

+After you enable multimedia redirection, you can test it by visiting a web page with video playback from the list in [Websites for video playback redirection](#websites-for-video-playback-redirection) and following these steps:

+1. Open the web page in Microsoft Edge or Google Chrome on your remote session.

+1. Select the Microsoft Multimedia Redirection extension icon in the extension bar on the top-right corner of your browser. If you're on a web page where multimedia redirection is available, the icon has a blue border (rather than grey), and shows the message **The extension is loaded**. For web pages that support video playback redirection, **Video Playback Redirection** has a green check mark.

+

+ :::image type="content" source="media/multimedia-redirection/browser-extension-loaded-video-playback-redirection.png" alt-text="A screenshot of the multimedia redirection extension in the Microsoft Edge extension bar with video playback redirection enabled." lightbox="media/multimedia-redirection/browser-extension-loaded-video-playback-redirection.png":::

+

+1. On the web page, play a video. Check the status of the extension icon that multimedia redirection is active in your browser, which should look like the following image:

+ :::image type="content" source="./media/multimedia-redirection/browser-extension-icon-video-playback.png" alt-text="Testing video playback redirection, the multimedia redirection extension is currently redirecting video playback.":::

+#### Microsoft Teams live events

+Microsoft Teams live events aren't media-optimized when using the native Teams app in a remote session. However, if you use Teams live events with a browser that supports Teams live events and multimedia redirection, multimedia redirection is a workaround that provides smoother Teams live events playback in a remote session. Multimedia redirection supports Enterprise Content Delivery Network (ECDN) for Teams live events.

+To use multimedia redirection with Teams live events, you must use the web version of Teams. Multimedia redirection isn't supported with the native Teams app. When you launch the live event in your browser, make sure you select **Watch on the web instead**. The Teams live event should automatically start playing in your browser with multimedia redirection enabled.

+### Advanced settings for video playback redirection

+The following advanced settings are available for video playback redirection. You can also hide the advanced settings button from users; for more information, see [Show or hide advanced settings button](#show-or-hide-advanced-settings-button).

+- **Enable video playback for all sites (beta)**: By default, video playback redirection is limited to the sites listed in [Websites for video playback redirection](#websites-for-video-playback-redirection). You can enable video playback redirection for all sites to test the feature with other web pages. This setting is experimental and might not work as expected.

+- **Video status overlay**: When enabled, a short message appears at the top of the video player that indicates the redirection status of the current video. The message disappears after five seconds.

+- **Enable redirected video playback overlay**: When enabled, a bright highlighted border appears around the video playback element that is being redirected.

+To enable these advanced settings:

+1. Select the extension icon in your browser.

+1. Select **Show Advanced Settings**.

+1. Toggle the settings you want to enable to **on**.

+### Allow or block video playback redirection for specific domains

+If you configure multimedia redirection using Microsoft Intune or Group Policy, you can allow or block specific domains for video playback redirection.

+> [!NOTE]

+> The following example is for Microsoft Edge. For Google Chrome:

+>

+> - Change `joeclbldhdmoijbaagobkhlpfjglcihd` to `lfmemoeeciijgkjkgbgikoonlkabmlno`.

+> - Change the `update_url` to `https://clients2.google.com/service/update2/crx`.

+This example installs the extension and allows **learn.microsoft.com** and **youtube.com**, but blocks all other domains. You can use this example as part of the steps in [Enable the browser extension](#enable-the-browser-extension).

+```json

+{

+ "joeclbldhdmoijbaagobkhlpfjglcihd": {

+ "installation_mode": "force_installed",

+ "runtime_allowed_hosts": [ "*://*.learn.microsoft.com";"*://*.youtube.com" ],

+ "runtime_blocked_hosts": [ "*://*" ],

+ "update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx",

+ "toolbar_state": "default_shown"

+ }

+}

+```

+## Call redirection

+The following sections contain information about how to test call redirection and how you can configure advanced settings.

+### Websites for call redirection

+The following websites are known to work with call redirection, and which work by default.

+- [`WebRTC Sample Site`](https://webrtc.github.io/samples)

+- [`Content Guru Storm App`](https://www.contentguru.com/en-us/news/content-guru-announces-its-storm-ccaas-solution-is-now-compatible-with-microsoft-azure-virtual-desktop/)

+- [`Twilio Flex`](https://www.twilio.com/en-us/blog/public-beta-flex-microsoft-azure-virtual-desktop#join-the-flex-for-azure-virtual-desktop-public-beta)

+### Test call redirection

+After you enable multimedia redirection, you can test it by visiting a web page with calling from the list in [Websites for call redirection](#websites-for-call-redirection) and following these steps:

+1. Open the web page in Microsoft Edge or Google Chrome on your remote session.

+1. Select the Microsoft Multimedia Redirection extension icon in the extension bar on the top-right corner of your browser. If you're on a web page where multimedia redirection is available, the icon has a blue border (rather than grey), and shows the message **The extension is loaded**. For web pages that support call redirection, **Call Redirection** has a green check mark.

+

+ :::image type="content" source="media/multimedia-redirection/browser-extension-loaded-call-redirection.png" alt-text="A screenshot of the multimedia redirection extension in the Microsoft Edge extension bar with call redirection enabled." lightbox="media/multimedia-redirection/browser-extension-loaded-call-redirection.png":::

+

+1. On the web page, make a call. Check the status of the extension icon that multimedia redirection is active in your browser, which should look like the following image:

+ :::image type="content" source="./media/multimedia-redirection/browser-extension-icon-call.png" alt-text="Testing call redirection, the multimedia redirection extension is currently redirecting video playback.":::

+### Enable call redirection for specific domains

+If you configure multimedia redirection using Microsoft Intune or Group Policy, you can enable one or more domains for call redirection. This parameter enables you to specify extra sites in addition to the [Websites for call redirection](#websites-for-call-redirection). The supported format is the fully qualified domain name (FQDN) with up to one subdirectory. The following formats are supported:

+- `contoso.com`

+- `conferencing.contoso.com`

+- `contoso.com/conferencing`

+The following formats aren't supported:

+- `www.contoso.com`

+- `contoso.com/conferencing/groups`

+- `contoso.com/`

+> [!NOTE]

+> The following example is for Microsoft Edge. For Google Chrome:

+>

+> - Change `joeclbldhdmoijbaagobkhlpfjglcihd` to `lfmemoeeciijgkjkgbgikoonlkabmlno`.

+> - Change the `update_url` to `https://clients2.google.com/service/update2/crx`.

+This example installs the extension and adds calling sites `contoso.com`, `conferencing.contoso.com`, and `contoso.com/conferencing`, which are separated by a semicolon `;`:

+```json

+{

+ "joeclbldhdmoijbaagobkhlpfjglcihd": {

+ "installation_mode": "force_installed",

+ "AllowedCallRedirectionSites": "contoso.com;conferencing.contoso.com;contoso.com/conferencing",

+ "update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx",

+ "toolbar_state": "default_shown"

+ }

+}

+```

+### Enable call redirection for all sites for testing

+You can enable call redirection for all sites to allow you to test web pages that aren't listed in [Websites for call redirection](#websites-for-call-redirection). This setting is experimental and can be useful when developing integration of your website with call redirection.

+To enable call redirection for all sites:

+1. On a local Windows device, add the following registry key and value:

+ - **Key**: `HKEY_CURRENT_USER\Software\Microsoft\MMR`

+ - **Type**: `REG_DWORD`

+ - **Value**: `AllowCallRedirectionAllSites`

+ - **Data**: `1`

+1. Connect to a remote session and load a web browser, then select the extension icon in your browser.

+1. Select **Show Advanced Settings**.

+1. Toggle **Enable call redirection for all sites (experimental)** to **on**.

+ :::image type="content" source="./media/multimedia-redirection/browser-extension-loaded-advanced-settings-call-redirection-all-sites.png" alt-text="A screenshot showing the browser extension with the option Enable call redirection for all sites (experimental) set to on.":::

+## Next step

+To troubleshoot issues or view known issues, see [our troubleshooting article](troubleshoot-multimedia-redirection.md).

+> - [Multimedia redirection](multimedia-redirection-video-playback-calls.md) for audio, video and call redirection.

+> - [Multimedia redirection](multimedia-redirection-video-playback-calls.md) for audio, video and call redirection.

+> - [Multimedia redirection](multimedia-redirection-video-playback-calls.md) for audio, video and call redirection.

+1. To test the configuration, connect to a remote session and play audio. Verify that you can hear audio as expected. Make sure you're not using Microsoft Teams or a web page that's redirected with [multimedia redirection](multimedia-redirection-video-playback-calls.md) for this test.

+ - To allow audio and video playback redirection, toggle the switch to **Enabled**.

+ - To disable audio and video playback redirection, toggle the switch to **Disabled**.

+1. To test the configuration, connect to a remote session and play audio. Verify that you can hear audio as expected. Make sure you're not using Microsoft Teams or a web page that's redirected with [multimedia redirection](multimedia-redirection-video-playback-calls.md) for this test.

+1. To test the configuration, connect to a remote session and play audio. Verify that you can hear audio as expected. Make sure you're not using Microsoft Teams or a web page that's redirected with [multimedia redirection](multimedia-redirection-video-playback-calls.md) for this test.

+> - [Multimedia redirection](multimedia-redirection-video-playback-calls.md) for audio, video and call redirection.

+> - [Multimedia redirection](multimedia-redirection-video-playback-calls.md) for audio, video and call redirection.

+> - [Multimedia redirection](multimedia-redirection-video-playback-calls.md) for audio, video and call redirection.

+ - To allow video capture redirection, toggle the switch to **Disabled**.

+ - To disable video capture redirection, toggle the switch to **Enabled**.

+> Redirect video encoding is different to [multimedia redirection](multimedia-redirection-video-playback-calls.md), which redirects video playback and calls to your local device for faster processing and rendering.

+ - To allow clipboard redirection, toggle the switch to **Disabled**.

+ - To disable clipboard redirection, toggle the switch to **Enabled**.

+ - To allow drive redirection, toggle the switch to **Disabled**.

+ - To disable drive redirection, toggle the switch to **Enabled**.

+ - To allow MTP and PTP redirection, toggle the switch to **Disabled**.

+ - To disable MTP and PTP redirection, toggle the switch to **Enabled**.

+ - To allow printer redirection, toggle the switch to **Disabled**.

+ - To disable printer redirection, toggle the switch to **Enabled**.

+ - To allow serial or COM port redirection, toggle the switch to **Disabled**.

+ - To disable serial or COM port redirection, toggle the switch to **Enabled**.

+ - To allow smart card device redirection, toggle the switch to **Disabled**.

+ - To disable smart card device redirection, toggle the switch to **Enabled**.

+> - [Multimedia redirection](multimedia-redirection-video-playback-calls.md) for audio, video and call redirection.

+> - [Multimedia redirection](multimedia-redirection-video-playback-calls.md) for audio, video and call redirection.

+> - [Multimedia redirection](multimedia-redirection-video-playback-calls.md) for audio, video and call redirection.

+ - To allow WebAuthn redirection, toggle the switch to **Disabled**.

+ - To disable WebAuthn redirection, toggle the switch to **Enabled**.

+Here are the current known issues and limitations for multimedia redirection:

+- In the first browser tab a user opens, the extension pop-up might show the message **The extension is not loaded** or a message that says video playback or call redirection isn't supported while redirection is working correctly in the tab. You can resolve this issue by opening a second tab.

+- Multimedia redirection only works on Windows. Any other platforms, such as the macOS, iOS, Android, or connecting to a remote session in a web browser on any platform, don't support multimedia redirection.

+- Multimedia redirection doesn't work as expected if the session hosts in your deployment block `cmd.exe`.

+- If you aren't using the default Windows size settings for video players, such as not fitting the player to window, not maximizing the window, parts of video players might not appear correctly. If you encounter this issue, you should change the settings back to the default settings.

+- If your monitor or browser scale factor isn't set to 100%, you might see a grey pattern appear on the video screen.

+### Known issues for video playback redirection

+- Video playback redirection doesn't support protected content.

+- When you resize the video window, the window's size adjusts faster than the video itself. You also see this issue when minimizing and maximizing the window.

+- If you access a video site, sometimes the video remains in a loading or buffering state but never actually start playing. For now, you can make videos load again by signing out of your remote session and signing in again.

+### Known issues for call redirection

+- Call redirection only works for WebRTC-based audio calls on the sites listed in [Call redirection](multimedia-redirection-video-playback-calls.md#call-redirection).

+- When you disconnect from a remote session, call redirection might stop working. You can make redirection start working again by refreshing the webpage.

+- If you see issues on a supported WebRTC audio calling site and enabled the **Enable video playback for all sites** setting in the multimedia redirection extension pop-up, disable the setting and try again.

+### The MSI installer doesn't install the browser extension

+- If the `.msi` file doesn't install the browser extension, you can install the multimedia redirection extension from the Microsoft Edge Store or Google Chrome Store. You need to use the following links as the extension isn't searchable:

+ - [Multimedia redirection browser extension (Microsoft Edge)](https://microsoftedge.microsoft.com/addons/detail/wvd-multimedia-redirectio/joeclbldhdmoijbaagobkhlpfjglcihd)

+ - [Multimedia browser extension (Google Chrome)](https://chrome.google.com/webstore/detail/wvd-multimedia-redirectio/lfmemoeeciijgkjkgbgikoonlkabmlno)

+- Installing the extension on host machines with the MSI installer prompts users to either accept the extension the first time they open the browser or display a warning or error message. If users deny this prompt, it can cause the extension to not load. To avoid this issue, install the extensions by [editing the group policy](multimedia-redirection.md#install-the-browser-extension-using-group-policy).

+- Sometimes the host and client version number disappears from the extension status message, which prevents the extension from loading on websites that support it. If you installed the extension correctly, this issue is because your host machine doesn't have the latest C++ Redistributable installed. To fix this issue, install the [latest supported Visual C++ Redistributable downloads](/cpp/windows/latest-supported-vc-redist).

+If calls aren't going through, certain features don't work as expected while multimedia redirection is enabled, or multimedia redirection doesn't enable at all, you must submit a [Microsoft support ticket](/azure/azure-portal/supportability/how-to-create-azure-support-request).

+## Collect logs

+If a web page isn't working as expected with multimedia redirection, you can collect logs to help troubleshoot the issue. To collect logs:

+1. Select the extension icon in your browser.

+1. Reproduce the issue on the web page, then select the extension icon again and for **Collect logs**, select **Stop**. Your browser automatically prompts you to download one or more log files that you can save and use with support cases.

+For more information about this feature and how it works, see [What is multimedia redirection for Azure Virtual Desktop?](multimedia-redirection-video-playback-calls.md).

+- Updated multimedia redirection articles for the preview of call redirection. Learn more at [Multimedia redirection for video playback and calls in a remote session](multimedia-redirection-video-playback-calls.md).

+ Title: What's new in multimedia redirection? - Azure Virtual Desktop

+This article has the latest updates for host component of multimedia redirection for Azure Virtual Desktop.

+The following table shows the latest available version of multimedia redirection for Azure Virtual Desktop. For setup instructions, see [Multimedia redirection for video playback and calls in a remote session](multimedia-redirection.md).

+| Public | 1.0.2404.4003 | [Multimedia redirection](https://aka.ms/avdmmr/msi) |

+- Released general availability-compatible multimedia redirection host.

+Learn more about multimedia redirection at [Multimedia redirection for video playback and calls in a remote session](multimedia-redirection-video-playback-calls.md).

+For more information about which sites are compatible with this feature, see [Call redirection](multimedia-redirection-video-playback-calls.md#call-redirection).

+Multimedia redirection is now generally available. Multimedia redirection enables smooth video playback while viewing videos in a browser running on Azure Virtual Desktop. For more information, see [our blog post](https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-general-availability-of-multimedia-redirection-mmr-on/ba-p/3736489) or [Multimedia redirection for video playback and calls in a remote session](multimedia-redirection-video-playback-calls.md).

+An upgraded version of multimedia redirection for Azure Virtual Desktop is now in preview. We've made various improvements to this version, including more supported websites, RemoteApp browser support, and enhancements to media controls for better clarity and one-click tracing. Learn more at [Multimedia redirection on Azure Virtual Desktop (preview)](multimedia-redirection.md) and [our blog post](https://techcommunity.microsoft.com/t5/azure-virtual-desktop/new-multimedia-redirection-upgrades-on-azure-virtual-desktop-are/m-p/3639520).

+An upgraded version of multimedia redirection for Azure Virtual Desktop is now in preview. We've made various improvements to this version, including more supported websites and media controls for our users. Learn more at [Multimedia redirection for Azure Virtual Desktop](multimedia-redirection.md) and [our blog post](https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/new-multimedia-redirection-upgrades-on-azure-virtual-desktop-are/ba-p/3264146).

+Newly created or deleted subnets will have their route table updated with eventual consistency. The processing time may vary based on the volume of subnet creation and deletion.

+- Azure Virtual Network Manager requires a managed resource group to store the route table. If you need to delete the resource group, deletion must happen before any new deployments are attempted for resources in the same subscription.

+- UDR Management supports creating 1000 UDRs within a route table. This means that you can create a routing configuration with a maximum of 1000 routing rules.

+az network manager scope-connection create --resource-group "myRG" --network-manager-name "myAVNM" --name "ToTargetManagedTenant" --description "This is a connection to manage resources in the target managed tenant" --resource-id "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e" --tenant-id "aaaabbbb-0000-cccc-1111-dddd2222eeee"

+ az login --tenant "aaaabbbb-0000-cccc-1111-dddd2222eeee"

+ az account set --subscription aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e

+ az network manager connection subscription create --connection-name "toCentralManagementTenant" --description "This connection allows management of the tenant by a central management tenant" --network-manager-id "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myRG/providers/Microsoft.Network/networkManagers/myAVNM"

+az network manager group static-member create --network-group-name "CrossTenantNetworkGroup" --network-manager-name "myAVNM" --resource-group "myAVNMResourceGroup" --static-member-name "targetVnet01" --resource-id="/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e

+ | **Enable BGP route propagation** | Leave **unchecked**. |

+ "appId": "11112222-bbbb-3333-cccc-4444dddd5555",

+ "tenant": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"

+ "appId": "22223333-cccc-4444-dddd-5555eeee6666",

+ "tenant": "bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f"

+ "clientId": "00001111-aaaa-2222-bbbb-3333cccc4444",

+Azure Virtual Network encryption is a feature of Azure Virtual Network. With Virtual Network encryption, you can seamlessly encrypt and decrypt internal network traffic over the wire, with minimal effect to performance and scale. Virtual Network encryption protects data that traverses your virtual network from virtual machine to virtual machine.

+| Virtual machines in the same virtual network (including virtual machine scale sets and their internal load balancer) | Supported on traffic between virtual machines from these [SKUs](#requirements). |

+| Virtual network peering | Supported on traffic between virtual machines across regional peering. |

+| Global virtual network peering | Supported on traffic between virtual machines across global peering. |

+## Extract the VPN client profile configuration package

+If your P2S gateway configuration was previously configured to use the older, manually registered App ID versions, your P2S configuration doesn't support the Linux VPN client. See [About the Microsoft-registered App ID for Azure VPN Client](point-to-site-entra-gateway.md).

+Locate and extract the zip file that contains the VPN client profile configuration package. The zip file contains the **AzureVPN** folder. In the AzureVPN folder, you'll see either the **azurevpnconfig_aad.xml** file, or the **azurevpnconfig.xml** file, depending on whether your P2S configuration includes multiple authentication types. The .xml file contains the settings you use to configure the VPN client profile.

+### Modify profile configuration files

+If your P2S configuration uses a custom audience with your Microsoft-registered App ID, you might receive error message **AADSTS650057** when you try to connect. Retrying authentication usually resolves the issue. This happens because the VPN client profile needs both the custom audience ID and the Microsoft application ID. To prevent this, modify your profile configuration .xml file to include both the custom application ID and the Microsoft application ID.

+## Import client profile configuration settings

+In this section, you configure the Azure VPN client for Linux.

+## <a name="modify"></a>Modify profile configuration files

+If your P2S configuration uses a custom audience with your Microsoft-registered App ID, you might receive popups each time you connect that require you to enter your credentials again and complete authentication. Retrying authentication usually resolves the issue. This happens because the VPN client profile needs both the custom audience ID and the Microsoft application ID. To prevent this, modify your profile configuration .xml file to include both the custom application ID and the Microsoft application ID.

+description: Learn how to configure the Azure VPN Client to connect to a virtual network using VPN Gateway point-to-site VPN, OpenVPN protocol connections, and Microsoft Entra ID authentication from a Windows computer. This article applies to P2S gateways configured with the Microsoft-registered App ID.

+#Audience and custom App ID values are not sensitive data. Please do not remove. They are required for the configuration.

+1. Update the profile configuration files with a custom audience value (if applicable).

+## <a name="modify"></a>Modify profile configuration files

+If your P2S configuration uses a custom audience with your Microsoft-registered App ID, you might receive the error message **CAA20004** when you try to connect. Retrying authentication usually resolves the issue. This happens because the VPN client profile needs both the custom audience ID and the Microsoft application ID. To prevent this, modify your profile configuration .xml file to include both the custom application ID and the Microsoft application ID.

+1. Change the name of the Connection name (optional). In this example, notice that the Audience value shown is the new Azure Public value associated to the Microsoft-registered Azure VPN Client App ID. The value in this field must match the value that your P2S VPN gateway is configured to use.

+1. If the profile that you want to configure is connected, disconnect the connection, then highlight the profile and select the **Connect automatically** check box.

+Currently, Azure supports both modes of VPN gateways: route-based VPN gateways and policy-based VPN gateways. They're built on different internal platforms, which result in different specifications. For more information about gateways, throughput, and connections, see [About VPN Gateway settings](vpn-gateway-about-vpn-gateway-settings.md).

+ "policyId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/drewRG/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/globalWafPolicy",

+ "requestQuery": "X-AzureApplicationGateway-CACHE-HIT=0&SERVER-ROUTED=10.4.0.4&X-AzureApplicationGateway-LOG-ID=aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e&SERVER-STATUS=404",

+ "policyId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/drewRG/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/perListener",

+ "resourceId": "/SUBSCRIPTIONS/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/RESOURCEGROUPS/DEMOWAF_V2/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DEMOWAF-V2",